The Evolving CISO: From Naysayer to Enabler
Chief Information Security Officers (CISOs) are not typically perceived as business enablers. Their core responsibility is to safeguard the company’s sensitive information and operational services, which makes us naturally risk-averse. Business innovation tends to require some level of experimentation, failure, and recalibration. But for the CISO, a single instance of failure can be catastrophic.
However, as digital transformation continues to disrupt traditional business models and with the pace of technological change accelerating, the role of the CISO requires a re-think. While information security has never been more important, so too is the need to leverage technology to drive business innovation. Balancing that equation means evolving the approach. Instead of only focusing solely on how to protect the existing environments, CISOs must also aim to provide the right environment for secure business innovation. Even better, the CISO must be the enabler / introducer of innovation.
The good news is that many of the same technologies used to lock down environments can be repurposed to enable innovative new use cases with significant potential for business transformation. Additionally, new capabilities continue to emerge. Let me highlight three possibilities below:
1) Creating secure sandboxes for development teams to innovate freely
IT security policies typically restrict employees’ options when it comes to risky behavior like downloading and installing new software or accessing cloud services. While curtailing such options is a sound practice from an information security perspective (helping to prevent a key entry point for malware), it does not provide developers with the kind of creative freedom that promotes innovation.
Thankfully, there is a way to provide developers with the freedom they crave without compromising security. Technologies typically used to secure sensitive applications can be equally effective at securing risky environments. By creating developer sandboxes on virtual machines that restrict access to the host operating system, developers can be freed to do as they please, while limiting the fallout should anything go wrong.
2) Using machine learning to dramatically improve application time to market
Cloud architectures have not only transformed the way in which infrastructure is managed but have also revolutionized software development. Modern development methodologies, like agile and DevOps, encourage much more frequent releases of code into production. While this enables organizations to quickly incorporate new business functionality and capabilities, it also causes challenges for the CISO’s office.
To cope with this increased cadence of code releases, CISOs need to modernize their application security program. AppSec programs, where they exist today, generally rely on scarce human capital to intervene and make decisions throughout the development process. Our humans were always a bottleneck, but in the new world of rapid development it’s simply no longer practical. By using technology, with underlying artificial intelligence and machine learning algorithms, to understand everything that is happening within the development process, the system can eliminate 90+% of the current human interactions by making decisions on its own. This is a huge win for the CIO because it removes a large amount of friction from the dev process and thus improves time to market. It’s also a win for the CISO because their security experts can really focus on the issues that need their expertise.
3) Freeing the value of data
But maybe the biggest opportunity for the CISO is with respect to data. The big data revolution continues to gather pace, with organizations of all kinds collecting ever-greater volumes and varieties of data, at ever-faster velocities. That data has the power to transform a full gamut of business operations, providing insights into markets, customers, processes, finances, products and services. But there are a growing number of use cases where organizations can derive even greater real bottom-line profit value from data if they can monetize it and share it with partners, clients, or industry counterparts. When was the last time the CISO helped unlock the potential of a whole new revenue stream for the enterprise?
The challenge lies in the fact that data privacy regulations and laws around the globe correctly prohibit sharing of information containing personally identifiable information. To address that requirement while successfully exploiting the opportunity of a new revenue stream, organizations need to find ways in which they can share access to and process data in a privacy preserving fashion; protecting individuals’ rights to privacy while still affording the ability to analyze data to support new use cases and generate profits.
Homomorphic encryption provides the means to do exactly that. Data remains encrypted, ensuring personally identifiable information is never revealed, but can still be queried. The full range of use cases enabled by such secure, anonymized information sharing is still evolving. But significant progress has already been made in industries that handle highly sensitive personal data – such as financial services and healthcare. That said, the ability to share data securely has the potential to benefit all manner of industries, providing organizations with access to larger data sets with which to derive deeper and wider insights and new business opportunities to derive new revenue streams.
The growing value of information
The role of the CISO has grown a lot in prominence since I first became a CISO in 1997. Companies across all industry sectors have recognized the growing value of their proprietary information and called on CISOs to protect that information from threats inside and out. While that challenge continues to grow, CISOs now have the opportunity to add additional strings to their bow. They will always form an integral part of companies’ defensive roster. But their know-how is increasingly being called upon to serve as an enabler…an enabler of better ways of doing business and an enabler of whole new business opportunities centered around security technology innovation.