I attended Argyle Forum's Chief Information Security Officer (CISO) Leadership Forum in San Francisco yesterday. The event had around 100 attendees, and a lot of great discussion on security trends and on the evolving role of the CISO. Much of the discussion was on the impact that cloud and mobile technologies are having on enterprises. Here are a few of the more interesting things that I observed:
- The CISO as Business Prevention Officer is dead. This is something the industry has been talking about for some time, but hearing the change in focus from prevention to enablement directly from dozens of security professionals means that the message has now been internalized. What's important about this is that switching from a prevention/control mindset to an enablement mindset means that you stop asking, "what excuse can I come up with to block/deny this request" and start asking, "what can I possibly do to enable this securely, and as quickly as possible?" It was clear that the CISOs taking this more people-centric approach are receiving dividends in the form of fewer users going "rogue" and a better partnership with the business.
- It's all about the data. The attendees really seemed to have internalized the fact that since they no longer own/manage devices or applications, that they need to find technologies that focus on securing data, rather than devices or applications. As I wrote in a prior post, information security has always been about securing data, but in the past, we've had the luxury of drawing a secure perimeter around large swaths of data (managed devices, data centers, corporate locations, etc). Unfortunately, those days are over, so information security must focus on the new perimeter - the data itself.
- Cloud security policies are few and far between. During my panel session, the moderator did an informal poll of who had a formal policy for adoption of cloud applications in place. Surprisingly to me, only one person raised their hand. Yet just about everyone in the room had either sanctioned or non-sanctioned cloud apps in use somewhere in their organization. This is not dissimilar to what I remember hearing when BYOD and the iPhone hit the enterprise scene in 2009/2010, where IT succumbed to immense pressure and reactively opened up Activesync on their Exchange Servers without first developing an overall policy.
Overall, it appears that it's both an exciting and a scary time to be a CISO. At no point has the role been more prominent or important, and I don't see that changing anytime soon. Those that are successful moving forward will adapt to changes and focus on partnering with their key stakeholders to help meet their needs rather than work against them.
How else is the role of the CISO evolving? I would love to hear your thoughts in the comments section below.
Photo Credit: @ArgyleExecForum