Todd Fitzgerald, Global Director of Information Security at Grant Thornton International, Ltd. talked about the role of the CISO in 2020.
“How did we become CISOs?” asked Fitzgerald at the outset of his keynote session at the 2016 Chief Information Officer Leadership Forum held in Chicago on June 22. The answer can often be found in our childhood, he explained. CISOs, as children, were typically infatuated with technology and doing battle with the bad guys.
“We wear many hats in security. Sometimes we wear a law enforcement hat, sometimes an IT hat, or maybe a CIA hat, or, so as not to discriminate, an FBI hat," joked Fitzgerald. "A lot is expected of us. We need to know about security, how to manage teams, and be familiar with laws and regulations. Eighty percent of us were hired because the company realized we were necessary (often following a breach), not because it felt a CISO is just nice to have around.”
Fitzgerald noted that “CISOs change jobs every 18 months to three years. The trend seems to be toward slightly greater longevity.”
In 1998, when Fitzgerald was hired for his first CISO job, none of the current computer and Internet technologies were available. Y2K got things moving. The leading information security model in 1998 included a closed process involving assessing risk and determining needs, implementing policies and controls, promoting awareness, and monitoring and evaluating. “Whatever we missed in security was in one of these boxes," he observed. "Security was run from the data center. It wasn’t until 10 years ago that we started to focus on risk rather than compliance. In the last five years, the CISO has moved from IT to the business suite.”
"It wasn’t until 10 years ago that we started to focus on risk rather than compliance. In the last five years, the CISO has moved from IT to the business suite.”
“As we know, security language may not be easily understood by the C-suite and the board, and there are differences in communication styles among the generations. By 2020, half of the workforce will be the Millennial generation, and we need to support how and where these individuals work and the technology they want to use,” Fitzgerald emphasized. “One thing I think will happen is that passwords will become obsolete.”
Fitzgerald noted these top 2016 security trends:
• Unintended consequences of state intervention
• Big Data will lead to big problems
• Mobile applications and IoT
• Cybercrime creates a perfect threat storm
• Skills gaps become an abyss for information security
Privacy is a big issue that CISOs will be increasingly dealing with, beyond “privacy principles.” According to Forrester, the most important qualities of a CISO going forward are leadership, strategic thinking, business knowledge, and risk management, said Fitzgerald. Of less importance are communication, relationship management, security expertise and technical expertise.
According to Forrester, the most important qualities of a CISO going forward are leadership, strategic thinking, business knowledge, and risk management.
Steps involved in the CISO evolution from 2015 to 2020:
• Plan a path away from operations
• Refine risk management processes to business language
• Widen the vision to privacy, data management, and compliance
• Build a support network
• Create focus and attention in business leaders
Fitzgerald’s vision of the CISO in 2020:
• Has a two- to three-year roadmap tied to new business opportunities and technologies.
• Anticipates security incidents and initiates a controlled response to them.
• Controls compliance within a framework. “Pick one the many options out there and go with it. All are industry-mapped.”
• Reports outside of IT to create a balance with IT.
• Leaves SIEM and threat intelligence to cloud providers.
• Is sourced from the business.
• Focuses on risk, knows where the data is, and knows country-specific privacy laws.
“We’re moving into the privacy and data-aware era. CISOs who know privacy laws and where their data is are going to be of the most value to their organization going forward.”
ABOUT TODD FITZGERALD:
Todd Fitzgerald is the Global Director of Information Security for Grant Thornton International, Ltd., the fastest-growing and one of the major global accounting firms, providing strategic information security leadership for Grant Thornton member firms supporting 48,000 employees in 133 countries.
Leading large company information security programs for 18 years, Todd is a 2013 Top 50 Information Security Executive, 2013–16 Ponemon Institute Distinguished Fellow, and 2015 runner-up CISO of the Year Award Chicago by AITP, ISSA, and Infragard. Todd has been recognized as a highly rated speaker at recent RSA conferences. He is the author of three books (Information Security Governance Simplified: From the Boardroom to the Keyboard, CISO Leadership: Essential Principles for Success (ISC2 Press), and 2014 Certified Chief Information Security Officer (C-CISO) (BOK), and a contributor to a dozen others.
Todd is a frequent international security presenter. He has also earned multiple security and privacy designations including CISSP, CISA, CISM, CGEIT, CRISC, CIPP, CIPP/US, CIPP/E, CIPM, ITILv3f, ISO27000, PMP, as well as a Masters of Business Administration from Oklahoma State University.