The Changing Role of the CISO

The role and responsibilities organisations place on their Chief Information Security Officer (CISO) have expanded over the last few years. As the need to make sure that data and the IT systems holding it are protected from the ever-increasing cyberattack threat, Boards and C-Suites have come to rely more on their CISO as a crucial part of the defence and organisational leadership team.

This increase in the importance and visibility of the CISO has upsides and downsides. On the upside, the threats and the need to protect against them means that CISOs can more easily get the funding they need to deliver cybersecurity and also have input into business projects to ensure they get designed with security in mind. On the downside, the sheer scale of the threats and continuous cyberattack activity that all organisations deal with means that the role is very stressful.

This stress level feeds into a?Gartner prediction ?that almost half of all CISOs will change jobs by 2025 and that a quarter will pursue roles outside of cybersecurity. This dynamic nature of the CISO job market is a microcosm of the larger cybersecurity job market in which skilled practitioners are in short supply and in high demand. The cybersecurity professional’s shortage has led many businesses to outsource all or parts of their cybersecurity protection to an MSSP (Managed Security Service Provider). Many MSSPs include a virtual CISO (vCISO) in their service offerings so that this vital role can also be provided by a service provider that is dedicated to and focused on cybersecurity defence. The rise in popularity of MSSP use means that the role of the CISO within organisations is changing.?

What Is the Role of a CISO?

The CISO oversees the information security of their organisation. They are responsible for developing and implementing information security programs that safeguard the organisation’s data, IT systems, and assets from unauthorised internal and external access. CISOs also manage cyber risk and ensure that the organisation’s cybersecurity aligns with business objectives and strategy.

Working with other leaders, such as the Chief Information Officer (CIO) and Chief Technology Officer (CTO), they ensure that the security program is well-designed, effective, efficient, and periodically reviewed & updated. The CISO often advises the Board of Directors on security matters and works with departmental leaders and project managers to ensure that any new business proposals and projects take security seriously from the start and incorporate security considerations into their design and development.

What Are the Typical Functions That a CISO Performs?

The functions and activities a CISO perform are listed below - I include vCISOs in this if they fill the CISO role as part of a managed service. It should be noted that a CISO needs to have an overall picture of all aspects of cybersecurity, and a detailed knowledge of the IT systems and data protection requirements for the organisation they are working in. But they do not need to be a hands-on expert who performs all the tasks listed below. Rather they are a manager who delegates direct cybersecurity work to others who have the skills and experience to deliver what is needed.

A CISO is responsible for the following:

• Development and implementation of an organisation-wide data protection strategy.
• Identification and mitigation of cybersecurity risks against data and IT systems.
• Ongoing review and adaptation of cybersecurity strategy and defence implementation (with the CIO and CTO).
• Incident response planning.
• Incident response management and post-incident analysis.
• Control of the information security team (possibly with another Manager if they are a vCISO).
• Liaise with and advise the C-Suite on cybersecurity planning and new projects.
• Develop security policies and procedures.
• Ensure cybersecurity awareness training provision for all staff.
• Plan and manage tabletop and other incident response simulations.
• Arrange for and oversee periodic security assessments from external assessors.

CISOs are clearly busy, and they often encounter the challenge of vendors approaching them to discuss their products, which may be beneficial for their defensive posture, but they often lack time to engage in such conversations. Conversely, many vendors face difficulties initiating discussions with CISOs to present their latest technologies. At Renaissance, we look to bridge this gap by selecting best-of-breed cybersecurity solutions and vendors for CISOs to consider, while making it easier for vendors to get their solutions considered by CISOs and MSSPs.

The Changing Role of the CISO

As more organisations use MSSPs to deliver all or part of their cybersecurity protections, the role of the CISO changes to one where they manage an external service provider. This will require them to understand the benefits and drawbacks of using an MSSP for cybersecurity. The benefits include not worrying about cybersecurity staff retention and training, agreed costs, and access to a wider pool of experts. One downside is the need to give up some immediate control over the cybersecurity delivery function.

To get the best from an MSSP partnership, a CISO must have a strong working and personal relationship with the leaders and the hands-on cybersecurity staff in the service provider. The CISO needs to be able to trust them, and conversely, they need to be able to trust the CISO. A relationship built on mutual trust will deliver better cybersecurity outcomes. This means that the role of the CISO changes to be a people management one and moves away from being a technical role. However, a CISO must understand the cybersecurity principles and landscape to participate in discussions and decisions with the MSSP.

When using an MSSP, the CISO needs to communicate to their C-Suite and people in the organisation that outsourcing cybersecurity provision does not remove the responsibility for data security from the organisation. Data owners are responsible for data protection and liable for any breaches under regulations like GDPR. For this reason, everyone in the organisation still needs to play a part in data protection and be aware of how to respond to suspicious activity, such as Phishing emails. The policies and procedures part of the CISO role mentioned in the preceding section play a large part in ensuring everyone is part of the cybersecurity effort.

If there is still an internal cybersecurity team after engaging an MSSP for all or part of the cybersecurity provision, the CISO needs to ensure that the members of this team feel valued so they see that they have a continuing role in protecting the organisation.

Overall, as the move to use MSSPs accelerates, the role of the CISO will increasingly become a people and service management one that needs to be filled by people with both a technical understanding of the threat landscape and the managerial skills to manage external suppliers and people — a combination that not everyone has, and a job role that not everyone wants to perform.

?