The CISO . . . an Accountant or a Chief Financial Officer?

Access Risk Management Blog | Courion

Chris Zannetos

As part of CONVERGE, Courion’s 11th annual customer conference held last month in Atlanta, we convened an Executive Forum of 20 CIOs, CTOs, and CISOs along with leading consultants and Courion executives to discuss key strategic issues. In addition to the requisite discussion of the impact of the Cloud and the Consumerization of IT, we discussed the evolving role of the senior IT security executive.

We have held this Executive Forum for several years now. Looking back now, I wish we’d had the foresight to capture these proceedings on video over the years to observe our evolution, much like the famous documentary, Seven Up! which chronicles the lives of fourteen British children in installments every seven years as they age and their world views evolve. If we had, not only would we have seen my hair fade to gray, we would also have seen a significant evolution in the perspective of what it takes for an information security executive to be truly successful.

As the discussion at CONVERGE progressed, I was reminded that the role of CISO is still in its adolescence, much like those British schoolchildren in the early documentaries. There are other organizational roles that have been around a bit longer that perhaps we in the information security world can learn from – like that of the Chief Financial Officer.

My CFO likes to tell the story of a meeting he had with financial auditors to discuss an accounting treatment for a particular transaction. After the review, a young audit associate stated, “Well, that is sort of in the gray area.”  My CFO’s response?  “My entire job is in the gray area!”

As you advance up the chain of command in a financial organization, you are called upon to adopt the more holistic view of a business executive. No longer can you optimize on just one variable  – you must understand the breadth of impact a decision may have on the business as a whole, not only today, but also in the future. Those who do not have the interest or the capacity to do so remain accountants, where the landscape is black and white. It’s a debit or a credit. Accounting rules and guidance dictate what you can and cannot do, and if an action is not addressed by the rules . . . you cannot do it.  While regulations may provide for it, there is no room for interpretation. To do so would disturb the balance of the universe.

In contrast, the CFO needs to focus on the business as an ongoing entity beyond the numbers. His job is to understand, communicate and help manage the financial health of the business.  And the numbers don’t always tell the story – in fact, they sometimes obscure it.

This is the same evolutionary leap that the information security executive must take. In the security world, many act and talk as if the world is black and white. Something is either secure, or it isn’t.

If there is a lesson we should learn from the last few years, it is that compliance does not equal security, and nothing can be 100% secure. A focus only on security obscures visibility of the vitally important issues – and is destined to fail. In Finance, it is the numbers versus the business health. In IT, it is “security” versus “the business risk.”

An IT Security “Accountant” believes he is responsible for ensuring that all is secure and that the business never suffers loss related to the company’s technology infrastructure. An IT Security “CFO” believes he is responsible for ensuring that the business understands the risks it is taking, aligning IT and security spending according to that risk appetite, and delivering the capability to quickly understand and respond when risk changes or an adverse event is realized.

Doing so elevates the Information Security Executive to a role where he is included in, and integral to, business discussions with C level executives. And judging by the conversation during our most recent Executive Forum, leading IT Security Executives are making this intellectual, and in some cases operational, leap. As a result, they are called more frequently into Board Meetings, their companies’ Audit Committees now include members with significant IT experience, and they integrate their work with Enterprise Risk Management efforts.

The opportunity is here today for you to elevate the work of the CISO. Move into the gray area and widen the lens from security to business risk management. Perhaps this is more of an imperative than an opportunity, because if, as a CISO, you do not follow the example of the CFO to become a business force, you may be relegated to the backroom and pulled out only at time of audit – just as an accountant is.

Leave a Reply