RSA: CISOs as Entrepreneurial Business Partners
By Tony Kontzer
If there's any single takeaway from an RSA Conference panel of chief information security officers I attended Thursday, it's this: IT security execs increasingly see their role as an entrepreneurial partner to the business.
This represents serious progress for a group business folks have often considered the lunatic fringe of IT. IT security teams have generally been seen as an obstacle, a necessary evil that's there to protect a company from the bad guys, but which also often finds itself protecting the company against its own employees' lack of security savvy.
Today, CISOs not only are looking to forge stronger ties with the business, they're looking to do so as an innovator that contributes to the bottom line. Doing so results in the IT security execs gaining a stronger corporate voice, Tony Spinelli, CISO of credit reporting firm Equifax, told the RSA panel audience. "If you're a great partner to the business, and they understand you're there to enable growth, they're going to bring you to the table."
This must be a strange concept to some long-time IT security pros. A place at the table? For the lunatic fringe? Not so farfetched, especially if you consider Forrester Research's findings (shared by panel moderator and Forrester VP Khalid Kark) that growing numbers of IT security execs are now reporting directly to the CEOs, presidents and boards of directors of their companies. This makes a powerful statement: We value you enough in the current business paradigm to make you an active participant in determining our strategic direction.
What's important is that CISOs accept this new responsibility and alter the way IT security is perceived by becoming more a part of the team, rather than the enforcer behind the IT curtain. It also means that IT security leaders have to revisit their long-held perspectives on what constitutes acceptable risk. "We're trying not to shy away from what appears to be risky," Intel CISO Malcolm Harkins said during the panel discussion. "If we don't do this, the business will go around us, and it will end up being riskier."
In other words, the days of issuing blanket answers of "no" to requests related to cloud computing, social media, or mobile access to applications are over. Instead, IT security folks have to change the way they approach activities that raise red flags. Case in point: Bruce Jones, global IT security and risk manager for Eastman Kodak Co., now provides employees with guidelines on how to effectively manage the security settings on their Twitter and Facebook accounts, rather than trying to block access to those sites, as many companies do.
Another example from Harkins illustrates this perfectly: About a year ago, an Intel engineer shot video of a proprietary process and posted it on YouTube as part of an information exchange with another part of the company. The thinking was that only the interested parties would view it, and in years past, this probably would have caused IT security to issue dictates prohibiting video recordings of proprietary processes, much less posting those on YouTube. But Harkins took a different and decidedly 2010 IT security view: "I saw this as a failure of our IT organization to provide the ability to collaborate effectively," he told the RSA panel audience.
All of this leads me to this conclusion: A new era is upon us in which IT security just might shed that lunatic fringe label.