A session was held at this year’s SC Congress Toronto called “A Day in the Life of a CISO”, with Kent Schramm (above) as one of the panelists. He is the chief information security officer for the government of Ontario, which has 60,000 employees and serves 13 million citizens. Schramm talked about the ongoing push/pull dynamic between him and various provincial ministries and departments.
“They want to do things quicker, faster and ‘yesterday’ and I come along and say you can’t do this because you’re gonna be on the front page of the Toronto Star,” he said.
Actually, the Ontario Ministry of Health did end up in the Toronto Star on the exact same day Schramm sat on the panel. No one in the room asked Schramm about the Star story (the Ontario health minister had just announced plans to crack down on healthcare privacy breaches). But Schramm’s anecdotal example surely rang a bell with fellow CISOs in the audience: business unit heads want to do X and those naysayers in IT security “come along and say you can’t,” as he put it.
Schramm said it’s a fundamental issue that affects how he does his job every single day. It’s also the same issue that was addressed at the same event last year by Jamie Rees, CISO for the government of New Brunswick.
“The new role of the CISO is not to be an Internet cop,” Rees told me in an interview following his presentation at SC Congress Toronto 2014. “It’s certainly been a struggle, changing that mindset from what I like to call the Internet cop to an enabler (or) a business person.”
The evolving role of the CISO – from IT gatekeeper/dream crusher to business enabler – was also on the mind of Samer Adi, Schramm’s co-panelist at this year’s event.
“You don’t want to be the most secure business that’s out of business,” said Adi, CISO at Capgemini Canada. “Security has to be tight, yes, but just enough to allow your business to grow.”
That delicate tightrope walk was the subject of a blog post earlier this year by Mitch Bishop, CMO at cloud security firm CloudPassage.
“Traditionally, CISOs were the Dr. No of the organization,” Bishop wrote. “As a result, Dr. No delivers steady resistance to business leaders, which is counter-productive to the growth mandate.”
“What if there was a different vision for the CISO?” Bishop continued. “One that enabled them to say ‘Yes’ more often than ‘No,’ a vision that positioned security as more than just an operational tax on the business?”
Schramm and Adi both explained how that vision might be achievable and some steps that may help us get there.
Don’t sugarcoat it: Some situations allow for a qualified ‘yes’ — as long as you fully explain the IT risks involved. “I want to be sure you as a (business) manager are aware of the risk and understand the risk,” said Adi. “Ensure the business owner is willing to accept that risk,” added Schramm.
Make the business case: Frame IT risk in a way managers care about. “You want to be sure they understand the risk from a business perspective, like your website would go down or you won’t be able to collect taxes or whatever,” Adi said.
Break it down: Instead of putting a blanket “no” on nearly everything, take a situational approach to IT security risk that can be applied quickly in various circumstances, Schramm suggested. If you rank parts of the network in terms of business importance, you can prioritize risk levels and size them up faster for other department managers.
As Schramm neatly summed it up, “My role has changed from CISO to chief risk advisor to the business.” Perhaps his unofficial title isn’t Dr. No anymore, either.