. . . and how do you organize for it?
Aren’t they the same? If not, don’t they have something like 90% overlapping responsibilities?
These questions are being raised more and more, and may be answered differently for various business types. The security landscape is evolving, and companies are adapting to this shifting scenery, some by creating a new role of Chief Cyber Security Officer (CCSO).
Some people are of the opinion that Cyber Security is a complete subset of Information Security, and the CCSO role is contrived to use the latest buzzword to make people think the company is ‘on top of current events’. In fact, I talked to a CISO of a bank last week and he told me they were hiring a CCSO in the next few weeks (not reporting to him), and he hadn’t been told what the new person would be doing.
The way I see it, Information Security and Cyber Security are two fairly different, though oddly overlapping roles, with varying responsibilities to address a growing number of ‘securification’ needs.
Cyber Security covers attack vectors that fall under the category of ‘Cyber Space’. In 1984, science fiction writer William Gibson defined the term as:
“A consensual hallucination experienced daily by billions of legitimate operators, in every nation, by children being taught mathematical concepts... A graphic representation of data abstracted from the banks of every computer in the human system.”
Amazingly, this is still accurate — albeit very broad — except for the ‘legitimate’ part. We need to secure Cyber Space from the acts of illegitimate actors.
Recently, I had a very interesting conversation with Melody Pereira, North America IT Security Officer for Allianz on this topic, including how reporting structures should look. Ms. Pereira sums it up succinctly: “a CCSO’s responsibility is to stay knowledgeable about the threat environment as it pertains to the use of the Internet from within their own computing networks, match that ‘threat set’ with the footprint their company presents and secure against hazards in that intersection. Their responsibility is also to limit the damage, or scope of the breach, should it occur.” I agree with this non-boundarized role description. Notice there’s nothing in there about data classification, audit committees or regulatory compliance. The focus is on threats and exposure, and reducing risk and impact of breaches.
Information Security functions are a bit broader. These encompass securing information in any form - physical documents, word of mouth, and the devices on company networks. Information security officers are also responsible for meeting Governance, Risk, and Compliance (GRC) requirements. This includes data classification, user awareness programs, working with external security audit entities, etc.
The Cyber Security team will report metrics and solution descriptions to the Information Security team, but should not report to them organizationally. Depending on the type of company and the business they are in, the organization will look different from company to company. An enterprise with significant GRC requirements will need to have clear separation between the CCSO and the CISO functions. A financial Institution could optimize with a reporting chain such as this:
CCSO => CTO or CIO or CSO => COO/CEO
CISO => Chief Risk Officer (CRO) or General Council (GC) => COO/CEO
High technology or retail firms may not require such a clear differentiation between the CCSO and CISO roles, as the regulatory control environment is quite different than for financial institutions, but you get the idea.
As companies mature in their total approach to securing infrastructures, including the governance and reporting of their security posture, we will see more trending towards this separation of duties and responsibilities.