In 1995, Citicorp/Citigroup named Steve Katz (News - Alert) as its Chief Information Security Officer (CISO). Katz is credited as the first to hold the title, anywhere. It has been over 20 years, and the enterprise landscape has changed dramatically posing new challenges and threats to a firm’s vision and security. The advent and adoption of burgeoning technology, such as the cloud and “as-a-Service” solutions, is raising the bar for enterprise security.
The CISO is responsible for the implementation and maintenance of the enterprise vision, strategy and minimizing IT risks along the way. Like many in the enterprise, this role relies on technology. The Information Systems Audit and Control Association (ISACA) depicts six outcomes resulting from information security and governance—leaving most CISOs to require their dashboard to keep a laser focus on objectives.
The six outcomes include:
CISOs are tasked with educating Senior Management with the status of the firm’s information security investments and the business risks involved. In broad strokes this extends to traditional security concerns, human resources as well as legal and regulatory compliance.
Digging deeper, in order to make effective business operations decisions a CISO requires a wide berth of risk metrics—things like risk identification, quality and service levels, log and patch management, network discovery, attack monitoring and threat management as well as security incident statistics and reaction times.
With such diverse needs, implementing a CISO dashboard is not an open and shut case—at least, it shouldn’t be. It is critical to develop a plan based on information gathered and create a roadmap for the selection process. Review metrics reported by each possible solution and prioritize metrics to develop that coincide with the firm’s business objectives. Put that plan into action by developing metrics, defining each in granularity and develop requirements for visualization. Finally, define data sources and tech requirements before implementation and user training.
Once a solution is implemented, the solution should continually experience optimization. This is the only way to provide reporting is in line with company objectives, as metrics evolve with security capability and the threat landscape. Shifting business priorities, new assets, company acquisitions and new vulnerabilities are several factors serving as impetus for adjustment.
The proper dashboard implementation will be scalable, ready to evolve with the firm. All of this may sound like the obvious, but you’d be surprised how many firms don’t “measure twice, and cut once” when traversing the process. While much has changed since Katz assumed his position, the responsibilities of CISO today are much the same—keeping information secure in an efficient and effective way.
What’s on your CISO’s dashboard?