Digital Transformation
Showing results for 
Search instead for 
Did you mean: 

Interview with a CISO—the White Rabbit meets a vampire and zombie-killer!


Several years ago, I saw the movie “Interview with the Vampire.” I don’t know about you, but that movie really haunted me afterward. Amazingly, I know many people who are haunted by their chief information security officers. After all, these folks are trying to prevent vampires and zombies from creeping into their enterprise network. Now, I do know from firsthand experience that CISOs and their teams do not use garlic, crosses or even stakes to protect their networks. In fact, even at a distance, they don’t smell especially offensive.


So given my personal aversion to vampires and zombies, my first question in my interview of a CISO was: “What keeps you up at night?” I was told with great detail that it is the threat of a “Sony-class” breach. For those who are not aware, this type of breach not only impacts corporate brand, but it can result in 10 years of government monitoring. Pretty scary stuff, if I say so myself.


One of the things that I found amazing is the level of business access and involvement that CISOs have. Not only do they regularly meet with the global CIO, but they also interact with legal, privacy and even key business executives.

At this point, I asked about the tools of the craft—this time, I was truly not expecting to hear garlic, crosses and stakes. I was told that, historically, security organizations developed and used a set of homegrown tools. But, the security folks are finding the bad guys are getting smarter and smarter.


In this environment, the CISO has needed to get closer and closer to business leadership. After all, security is another element of business risk. CISOs need to determine what risk level their business is willing to accept. This includes determining appropriate control mechanisms. Clearly, the threat landscape has gotten stealthier and even more difficult to catch. Today, “We are dealing with advanced persistent threats,” according to the CISO.


To respond to the raised threat level, this CISO has chosen to move to industry-standard, risk-based methodologies—ISO 2700 and MIST 8453. He is even looking at COBIT 5 and its continual improvement concepts for security. Nevertheless, he said that MIST requires conscious choices; not everything is applicable to every organization. You need to determine with your business stakeholders (no, they aren’t the people holding stakes) what is important, and, in some cases, what is more important.


Clearly, CISOs needs to choose from among risk management approaches. At the same time, they need to demonstrate to business and IT leadership they can measure, manage and improve security. Their foremost goal, according to COBIT 5, should be to keep the impact and occurrence of information security incidents within their enterprise’s appetite level. Doing this starts by putting in place a system that effectively addresses enterprise information security requirements. Next, they need to ensure their plan is not only accepted, but also effectively communicated throughout the enterprise. And finally, they need to ensure that information security solutions are implemented and operated consistently throughout the enterprise. Doing these things clearly makes the world—and CISOs in particular—not so scary.


 Related links:

Solution page: HP Security Management

Twitter: @MylesSuer

0 Kudos
About the Author


Mr. Suer is a senior manager for IT Performance Management. Prior to this role, Mr. Suer headed IT Performance Management Analytics Product Management including IT Financial Management and Executive Scorecard.


Great article, Myles! Makes complete sense that the CISO is getting closer to business leadership.

Jan 30-31, 2018
Expert Days - 2018
Visit this forum and get the schedules for online HPE Expert Days where you can talk to HPE product experts, R&D and support team members and get answ...
Read more
See posts for dates
HPE Webinars - 2018
Find out about this year's live broadcasts and on-demand webinars.
Read more
View all