HPE Business Insights
Showing results for 
Search instead for 
Do you mean 

Interview with a CISO—the White Rabbit meets a vampire and zombie-killer!

MylesS on ‎05-16-2013 01:42 PM

Several years ago, I saw the movie “Interview with the Vampire.” I don’t know about you, but that movie really haunted me afterward. Amazingly, I know many people who are haunted by their chief information security officers. After all, these folks are trying to prevent vampires and zombies from creeping into their enterprise network. Now, I do know from firsthand experience that CISOs and their teams do not use garlic, crosses or even stakes to protect their networks. In fact, even at a distance, they don’t smell especially offensive.


So given my personal aversion to vampires and zombies, my first question in my interview of a CISO was: “What keeps you up at night?” I was told with great detail that it is the threat of a “Sony-class” breach. For those who are not aware, this type of breach not only impacts corporate brand, but it can result in 10 years of government monitoring. Pretty scary stuff, if I say so myself.


One of the things that I found amazing is the level of business access and involvement that CISOs have. Not only do they regularly meet with the global CIO, but they also interact with legal, privacy and even key business executives.

At this point, I asked about the tools of the craft—this time, I was truly not expecting to hear garlic, crosses and stakes. I was told that, historically, security organizations developed and used a set of homegrown tools. But, the security folks are finding the bad guys are getting smarter and smarter.


In this environment, the CISO has needed to get closer and closer to business leadership. After all, security is another element of business risk. CISOs need to determine what risk level their business is willing to accept. This includes determining appropriate control mechanisms. Clearly, the threat landscape has gotten stealthier and even more difficult to catch. Today, “We are dealing with advanced persistent threats,” according to the CISO.


To respond to the raised threat level, this CISO has chosen to move to industry-standard, risk-based methodologies—ISO 2700 and MIST 8453. He is even looking at COBIT 5 and its continual improvement concepts for security. Nevertheless, he said that MIST requires conscious choices; not everything is applicable to every organization. You need to determine with your business stakeholders (no, they aren’t the people holding stakes) what is important, and, in some cases, what is more important.


Clearly, CISOs needs to choose from among risk management approaches. At the same time, they need to demonstrate to business and IT leadership they can measure, manage and improve security. Their foremost goal, according to COBIT 5, should be to keep the impact and occurrence of information security incidents within their enterprise’s appetite level. Doing this starts by putting in place a system that effectively addresses enterprise information security requirements. Next, they need to ensure their plan is not only accepted, but also effectively communicated throughout the enterprise. And finally, they need to ensure that information security solutions are implemented and operated consistently throughout the enterprise. Doing these things clearly makes the world—and CISOs in particular—not so scary.


 Related links:

Solution page: HP Security Management

Twitter: @MylesSuer

About the Author


Mr. Suer is a senior manager for IT Performance Management. Prior to this role, Mr. Suer headed IT Performance Management Analytics Product Management including IT Financial Management and Executive Scorecard.

HeatherMackey on ‎05-16-2013 02:46 PM

Great article, Myles! Makes complete sense that the CISO is getting closer to business leadership.

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
1-3 December 2015
Discover 2015 London
Discover 2015 in London, the ultimate showcase technology event for business and IT professionals to learn, connect, and grow.
Read more
November 2015
Software Online Expert Days
Join us online to talk directly with our Software experts.
Read more
View all