As high profile security breaches increase, Chief Information Security Officers (CISOs) continue to come under attack as they are typically held responsible for ensuring their organizations’ security and compliance with FISMA.

A new GAO report released Sept. 15 confirmed that the CISOs role is not clearly defined and that their authority is increasingly challenged. This report noted that the OMB has not followed through on its FISMA mandate to issue guidance outlining how agencies should ensure that CISOs fulfill their oversight responsibilities.


The OMB countered that they have clarified the CISO’s role under FITARA and other guidance. However, auditors of the GAO report reported that none of the guidelines cited by OMB address how agencies become FISMA-compliant or indicate that OMB is evaluating CISOs’ authority.

In addition to security, the CISO is responsible  for getting the organization compliant based on established guidelines. Currently, it is the CISOs job to request info from the business and advise if the business is compliant, while the business owners are not required to do anything in return. It is a one way conversation that becomes more of a nuisance to the CISO since he is not able to contribute and provide value to the business.

Compounding this is the fact that CISOs are increasingly dealing with clashes between operations and security, and are having to manage across a variety of stovepiped areas of the organization.

The result is an unproductive environment where agencies lack clarity on how to use the CISO who has become constrained from achieving his goal of securing the enterprise and keeping the organization compliant because compliance has become a one way street. This puts a large burden on the business and the mission people.

Waverley Labs believes that organizations are only looking at the CISO from an internal IT and security perspective. We believe the time is now to redefine the CISOs role within an organization – to make the CISO more mission oriented and more aligned with the business whose need is to be compliant.

The CISO needs  to provide value to the business owner by giving him ways to secure their applications. By connecting the CISO with the business he can say “help me get you compliant and I’ll help you get secure”..and it becomes a two way conversation.

Both sides must examine how secure their operational systems are through the increased use of Digital Risk Management frameworks and engineering principles that are typically not employed today. And if you elevate it to make the CISOs role more about DRM, his role will become much more defined.

But it needs to start by making the CISO part of the business and having a two way conversation.