Gone are the days when being a CISO (or even just ‘the security guy’) was about actual information security or IT security. Even the term IT security is outdated now, as it emphasizes a one-dimensional view of what security is really about. However, I digress…

The information security element of CISO is correct, but for a variety of reasons, the CISO’s role is very different from what it was a decade ago. Back then, the role required a strong technologist who understood the firewalls, their rules, the cryptographic controls and even how to code hotfixes on the fly. This isn’t surprising given that the role almost wholly came from an IT background. Back in the day, mere lipservice was paid to the human element, and the legal considerations were considered to be quite simply “someone else’s job.”

I was often asked what my job as a CISO entailed, and I used to say “PowerPoint and politics” jokingly; the odd thing though is that this response is not far from the truth at all. My role became significantly less about my understanding of specific niches of information security knowledge and more about putting across to the business what this information security lot was all about and how it helped the business stay competitive, out of trouble or even just in business. The more I did this, the more I became embroiled in the day-to-day machinations of how a business works. The inescapable conclusion I came to was this: even if information security is seen as essential and vital to the business, it is still just one voice of many that are trying to influence, cajole and be heard.

Moreover, this is where the politics come in, unfortunately. It is human nature and the way of businesses around the world. Politics (Read more...)