Few would deny the chief security officer role has evolved quite a bit in recent years. At many large companies, the heads of both physical and information security now report in to the same person, an enterprise CSO. The pace of change for the function is accelerating along with the ever-changing nature of threats.
Today, many believe CSOs will morph, sooner rather than later, into chief risk officers (CROs), monitoring and mitigating enterprise risks, including those relating to information security and facilities (but excluding financial risks, which are covered by the more traditional CRO function in large companies). At a high level, the new responsibilities include understanding your company's risk profile and risk appetite and then mitigating the risks accordingly.
Greg Thompson, vice president of enterprise security services and deputy CISO at Toronto's Scotia Bank, already sees his role evolving into something like head of operational risk management. Scotia is Canada's third largest bank.
"The writing is on the wall," said Thompson. "Ten years ago this role was highly operational. We had to get better at operationalizing vulnerability management and putting the right controls in place."
As a CISO in heavily regulated industry in a risk-averse country, Thompson says he is seeing ever-greater reporting requirements and more need for expertise in operational risk management. He now tracks and manages the full gamut of risks other than financial: fraud, hackers, hacktivists, breaches of privacy, configuration risk, risk of attack by nation states, reputational risk, facilities risk, IT process risk, compliance risk, supplier/service risk.
"We used to just look at these as security risk indicators. Now, they are key risk indicators. We now look beyond information security and try to understand the rest of the picture," he said, adding that the regulatory climate is driving some of this new emphasis.
The new metrics
Thompson is excited at the prospect of his role expanding, but he feels there is a lack of appropriate metrics to help him define and track enterprise risks.
"We need to find a set of metrics that speak to risk in real terms. There are things like mean time to patch, how many open audit findings. But that's not enough. Defining the measurements is the ultimate challenge," he said.
Right now, his organization is working on developing baselines that will be trustworthy markers now and in the future.
Relevant metrics are changing right along with the CSO role. Thompson has seen some risk metrics change in recent years. For example, the information security function at Scotia Bank used to use "age of vulnerability" as an indicator of the level of risk under the assumption that the longest-standing vulnerabilities were riskier than new ones. Now, the bank has matured its risk analysis not to focus on the age of the vulnerability but rather the threat agents that exist to exploit the vulnerability.
Sign up for Computerworld eNewsletters.