The new role of the Defence Chief Information Security Officer (CISO) Defending information, improving readiness, and succeeding anywhere
by Sir Rob Wainwright and Honorable Beth McGrath, Deloitte, Amsterdam/Washington
A
s defence organisations become more data-driven, the role of the Chief Information Security Officer (CISO) is changing. It is rapidly shifting from a technology-oriented position to a business leadership-focused one, with significant demands from and impact on mission readiness. That is why defence organisations across the globe measure, evaluate, and re-measure their “readiness.” While the specific term may vary from country to country, the heart of readiness remains the ability of an organisation to execute its assigned mission promptly and capably. Therefore, understanding readiness starts by understanding the basic capabilities of a force: its equipment, people, and infrastructure.
Data for the creation of a real-time picture Traditionally, the picture of those capabilities was developed through regular reporting on the status of smaller units, aggregated into a readiness picture at successively higher units. However, these historical snapshots of readiness lost much of the detail leaders needed to make decisions. As a result, many forces are beginning to use real-time data taken from sensors and analytics to create a real-time picture of projects, performance, and maintenance. Rather than relying on summary reports, leaders at every level, from defence ministry secretaries to mechanics on the flight line, can pull from the same pool of actual data. By filtering and analysing it, they can get the information they need, whether that is force-training levels or the broken part on a particular jet. While the greater use of operational data in readiness decision-making can give leaders greater insight, it also greatly increases the importance of cybersecurity. Every organisation
36
tries to protect its sensitive data, but bringing large volumes of data on the location and status of military forces requires even more vigilance. The result is that cybersecurity is now being dealt with higher up the corporate ladder. In many cases, the CISO has become a close peer of the chief information officer (CIO). The role now demands business leadership as well as information security and technical skills, and the CISO is now seen as a business partner, not just a business protector.
The evolving role of the CISO Understanding the threats and putting effective counter measures in place is the responsibility of the CISO. However, as the organisation begins to use data in new and different ways, the CISO must also understand how that changes its risk exposure. In a bid to better understand and improve readiness, defence organisations are using more and more real-world operational information to budget, recruit and make other decisions. While these types of decisions may previously have used “back-office” data that was less sensitive, the aggregation of many different types of mission-related information makes the CISO an integral part of the executive team. The CISO must be fully involved in the decision making process so that they can make sure that decision makers at every level have the information they need, but yet still protect sensitive operational data. This means ensuring that the right people get the data they need, and only the data they need. There is a significant change in the role of the CISO. In the past four or five years, it has broadened, from being almost purely technology-oriented to more people-oriented, and from being a middle-management function to a business and technology leadership function. The role continues to accelerate in the same direction to meet these needs.
photo: ©Gorodenkoff, stock.adobe.com
THE EUROPEAN – SECURITY AND DEFENCE UNION
