From CISO to Digital risks director

Filter by category:

September 12, 2016 by Jérôme Richard
Jérôme Richard

CISO Role and responsibility

Organization's Chief Information Security Officer (CISO) is defined by the CIGREF in "nomenclature des métiers 2015" as being in charge with "[the definition of] the Information Systems Security Policy (ISSP) and its application. [He] provides counsels, support, information, training and alerting".

Tie to either the Chief Information Officer (CIO) or the Chief Executive Officer (CEO) - according to stakes and risks handled by IS (including legal risks) - his responsibilities covers a wide set of organizational and technical thematic as defined into ISO 27001:2013, Annex A.

According to organization's size and business area, a Chief Security Officer (CSO) may complete his activities based on ISS requirements, formalized by CISO, and related to physical security thematic that apply to people, environment and buildings.
 

Digital transformation: stakes and impacts on IS

Last, but not least of Information Systems transformations, is known as digital transformation. According to Wikipedia, the digital transformation "[…] refers to the changes associated with the application of digital technologies in all aspects of human society".

This concept -and its related name- is declined according to its context of use. For example, the fourth industrial revolution (aka Factory 4.0) refers to the digital transformation that apply to the industrial means of production (Industrial IS included) ; the digital enterprise is the result of the digital transformation of an enterprise's production chain. It's defined by the CIGREF as "an enterprise which create value from the digitalization of its activities".

Those "marketing" wording bring a set of evolutions and technologic innovations together. Those technologies have been developed over the past years and impact as well the architecture than use cases and IS organization (IoT, Cloud Computing, Cyber-Physical Systems, Big Data, Blockchain, BYOD, mobility, digital working, …).

Even if those technologies and usages represent an opportunity to create business value for the production chain (digital business and marketing solutions, digital desktop, ...), they also imply new Information Systems risks. For example, the following risks result as a direct consequence of this transformation:

Systemic risk: due to a growing number of IS interconnections (Enterprise and Industrial), an exploit that occur on a part of the value creation chain may impact the whole chain;

Legal risk: the hosting, consulting or handling of personal data not compliant with local legal framework ("Loi Informatique et Liberté du 6 janvier 1978", "directive européenne n°95/46/CE" related to personal data transfert outside European Union, …) could lead to lawsuit risks ;

Strategic and/or confidential data leak: the emergence of new usages over the past years (BYOD/mobility, remote-working, collaborative platforms, …) makes more complex the reassurance of handled information and therefore raises the risk of sensitive data leak.

Breach to the e-reputation: the impact and the appearance's probability of this preexisting risk are emphasized due to the increase of the communication channels that has been deployed by the enterprise following its digital strategy (Facebook pages, LinkedIn, Viadeo, forums, web sites, Blog, Twitter, …).

- …
 

Consequences on CISO's role

The information - including sensitive one - whom diffusion was relatively controlled, is exchanged with a growing number of stakeholders (customers, internal IS or partners) to being consulted, enhanced, transformed and hosted outside enterprise's Datacenters.

As a consequence, this extended enterprise IS implies an evolution of the CISO role in order to make him able to have a global approach, which is required to cover in a proper manner IS risks. This implies specifically :

to have available competency related to digital transformation's concepts and technologies in order to evaluate their impact on the Information System like - for example - the resulting logical and physical links (Enterprise and Industrial ISS) and their related risks ;

to contribute to the change management plan (definition and follow-up) related to ISS risks and specific to the digital transformation, thru dedicated training and awareness action plans ;

to contribute to a controlled evolution of processes, services and environments (from an ISS perspective) thru a stakeholders' support (business, CIO) alongside their digital transformation projects ;

to contribute to the ISS requirements formalization with the Legal Direction in order to cover legal risks associated with this dedicated background (information lifecycle, IS auditability, reversibility, ...) ;

to influence enterprise governance following transformation stakes that apply to this organization (links between CIO, business and digital, roles and responsibilities, ...).
 

Conclusion

CISO role evolved following the transformations met by Information Systems. From technical expert, he became project leader with growing capabilities, not only able to define an ISS policy, but also to manage its application, from both a technical and a legal or organizational point of view. He must change again to become architect of the digital confidence thru a communicate towards business and guide instead of suffering from the coming transformations.
 

References

[CIGREF1] Nomenclature des métiers 2015:
    http://www.cigref.fr/nomenclature-rh-cigref-nouveautes-2015

[ISO1] ISO 27001:
    http://www.iso.org/iso/fr/iso27001

[WIKI1] "Digital transformation":
    https://en.wikipedia.org/wiki/Digital_transformation

[CIGREF2] "Les risques numériques pour l'entreprise":
    http://www.cigref.fr/les-risques-numeriques-pour-lentreprise

[WIKI2] Internet of Things:
    https://fr.wikipedia.org/wiki/Internetdesobjets

[ECO1] ECONOCOM Digital Center: Examples of Digital transformation applied to Health, Education and Mobility
    http://www.econocom.com/innovation/the-digital-center

[LEGI1] "Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés":
    https://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000000886460

[LEGI2] "Directive 95/46/CE du Parlement européen et du Conseil, du 24 octobre 1995 [...]":
    http://eur-lex.europa.eu/legal-content/FR/TXT/HTML/?uri=CELEX:31995L0046