Expectations have to be clear to both parties. When expectations are not clear they tend not to be met. A CISO needs to understand the expectations placed on the role and communicate if those expectations are unreasonable or will not be met for some reason.
I wrote a blog post about the importance of defining what the organization expects from the CISO:
The role of CISO is an important one. It must be. It has Chief right in the title. The question, though, is what exactly does a company expect a CISO to do? You can’t meet or manage expectations if you don’t know what they are, and there’s a good chance you won’t keep your CISO job very long if you can’t meet expectations.
A CISO is responsible for securing and protecting information assets but the job description is broader than just security. In order to be “C-level” and have a seat at the table of executive management the CISO also has to have a grasp on business vision, finance, and human resources among other things.
Andrew Wild, CISO of Lancope, echoed this sentiment in a blog post earlier this year. “The transformation centers on the CISO – or whoever is responsible for information security – moving from being primarily responsible for implementing and managing technology solutions to someone who is seen as critical a risk management advisor for information security, analogous to how CFOs advise on financial risk and General Counsels advise on legal risk.”
A Chief Information Security Officer (CISO) is the senior-level executive within an organization responsible for establishing and maintaining the enterprise vision, strategy and program to ensure information assets and technologies are adequately protected. The CISO directs staff in identifying, developing, implementing and maintaining processes across the organization to reduce information and information technology (IT) risks. They respond to incidents, establish appropriate standards and controls, manage security technologies, and direct the establishment and implementation of policies and procedures. The CISO is also usually responsible for information-related compliance. (Source: Wikipedia, Chief information security officer)
The primary goal of a CISO is security. It’s important, though, that the CISO view security from the perspective of the business. Enforcing draconian security measures can block innovation and hinder productivity. Sacrificing security can violate compliance mandates and put the company at risk. The CISO has to implement security measures that facilitate rather than obstruct business while finding a workable balance that protects information assets and shields the company itself from unnecessary risk. Simple, right?
You can read the full story on the RSA Conference blog: What Do Companies Expect From a CISO?