Skip to main content

Featured

How Security Architecture Supports Business Drivers

The Enterprise Information Security Architect is a crucial position within IT security and is often challenging and stressful. The job forms the “glue” that bridges the technological aspects of security and business drivers. The architect must have a solid understanding of the business architecture to design the best security systems possible that not only do not impede the business but enable business opportunities.  Also, the position must exhibit a management presence to articulate to senior executives the conceptual architecture and how it will impact business operations.
Through the many years as a security practitioner, I find organizations who are using existing security controls that are not effective. When engaged in these projects part of the risk assessment conducted is determining if there is sufficient protection for information that should be shared with employees, customers, business partners, and the general public. The risk assessment is a crucial step when designing…

CISO Complexity: A Role More Daunting Than Ever


The role of the CISO is more complex than ever. One major factor contributing to this CISO complexity is the growing number of regulatory compliance requirements with which organizations must comply. There are also industry-specific standards muddying the water. Financial services, for example, are heavily regulated in the U.S. and the European Union (EU). These regulations are rapidly changing, and it is very difficult for CISOs to keep up with all mandates.

CISOs are often confronted with organizational business units that simply accept risk instead of attempting to mitigate it with regulatory and security compliance. It is difficult to justify this problem to regulators who often see it as a black-or-white issue — either you’re in compliance or you are not. CISOs have a tough time addressing this gap in the ever-changing regulatory environment.

Getting Executives on the Same Page

The heightened awareness of executives and boards of directors also contributes to CISO complexity. Through collaboration with other organizations, these executives are becoming more sensitive to the importance of security. They have seen other organizations suffer data breaches and heard of the masses losses, and they want to know that their own critical data is protected.


The seemingly insurmountable threat landscape adds even more complexity. Cybercriminals are becoming more sophisticated, and everything from state-sponsored attacks to organized criminal campaigns is occurring around the clock. Advanced defensive solutions can be helpful but may also be difficult to operate, adding yet another layer of difficulty.

Zooming In on the Big Picture

Complexity is not necessarily a bad thing, but understanding what causes it goes a long way toward dealing with it. CISOs must understand what creates complexity in their organizations. They should, for example, remove any tools that do not add value and delegate tasks to direct reports whenever possible.

Organizational complexity creates big obstacles that make it difficult to get things done. Executives and board directors often lack a realistic understanding of how information security and the related challenges actually affect their businesses. I’ve noticed that many leaders simply revert to past personal experiences to address security issues from a big picture perspective, yet they fail to understand or consider the consequences of that, especially as it relates to employees. It could result, for example, in inadequate processes and ambiguous role definitions.

What Drives CISO Complexity?

Security leaders must identify pockets of individual strength and weakness in their departments to effectively deal with these challenges. It is important to properly delegate work to individuals who can deal with delicate situations and also train others to develop the required skills. This enables the CISO’s staff to create and use networks within organizations to build relationships. A team effort is required to overcome poor processes, manage complexity and bridge organizations silos.

Organizations have varying degrees of complexity due to both internal and external factors. To top it all off, security staff members view complexity differently than executives. Those stakeholders must recognize how their staff deals with complexity and develop an understanding of what drives it.