A few days ago I had the privilege of providing the opening keynote address at an IANS event in Dallas. If you’re not familiar with IANS (Institute for Applied Network Security), I encourage you to look into it as I believe it serves a very useful purpose and is working hard to be forward-looking. Regardless, one of the questions that was discussed at this event was how much of a CISO’s focus should be on business versus technology. The premise being that CISOs have historically focused most of their attention on the latter rather than the former, and that this needs to be reversed so that they can better align the security program with business objectives. Although I understand where this is coming from, I’d like to offer a slightly different (but compatible) perspective.
The question of how focused CISOs should be on technology versus the business inherently draws a line between them, as if they're two separate things. This overlooks the fact that technology (and the risk associated with it) exist because of business objectives and decisions. In other words, technology, information, and their related risks are artifacts of the business.
If we come at it from this perspective, the question regarding CISO focus changes to one of being able to understand, measure, and communicate to executives the risk dimension of technology/information within the context of the business. Yes, this requires an understanding of technology and business, but the focus is on connecting the dots rather than treating them as somehow separate.
When that happens, business executives will better understand the risk implications of the decisions they make, which improves their ability to avoid or correct serious risk conditions. This also means that a CISO's strategy is much more likely to be aligned with the business, which will improve their ability to get the support they need to be effective. It also makes the role and responsibility of business executives in the risk posture of an organization, much clearer.
So, yes — CISOs need to understand technology and business, but I believe the focus needs to be on understanding them as inseparable parts of a whole rather than as somehow distinct from one another.
Jack Jones is the creator of the FAIR (Factor Analysis of Information Risk) model. Got a question for Jack? Become a FAIR Institute member and join the discussion on Link.