Evolution of the CISO

I do not think it is too bold to say that few roles have undergone a more significant transformation than that of the Chief Information Security Officer (CISO). For a brief bit of history, the role came about in the mid-1990s, when security industry legend Steve Katz held the first CISO title at then-named Citicorp. At the time, mobile devices were not yet ubiquitous, AI was still science fiction, and the cloud, as we know it now, didn’t exist.??

?Since then, nearly every aspect of our personal and professional lives has transformed with digital technology. The role of the CISO has similarly transformed, going from niche technology leader to critical business partner, enabler, and board-level advisor in less than 30 years’ time. The role today is more complex, challenging, and vital than ever before.?

?I wanted to unpack the history of the CISO, what the expectations of the job are today, and what the role might look like in the future – and knew that friend, expert, and former CISO Charles Blauner would deliver. Charles joined me Afternoon Cyber Tea to offer his perspective and advice to current and aspiring CISOs–you can listen to the full episode here.?

?Here are a few highlights from our discussion that resonated with me:?

?The original job: keep off the front page of the Wall Street Journal?

When the CISO role was first established, it was fairly narrow in scope and scale, born from the first instances of hacking in financial services. Charles gave brief background on this, saying, “Back then, it was not a business function. Back then, the idea of the CISO's job was basically to keep off the front page of The Wall Street Journal and stay out of trouble with the regulator. You had a very sort of narrow focus that was really about protecting the data, especially in banking, because of things like the Gramm-Leach-Bliley Act, which was one of the first times the word customer privacy came up in U.S. law. You had this very narrow function. It was basically to keep out of trouble. And if you were lucky, in banks once a year, you met with the board for about five minutes.”?

?The role today: chief risk manager?

When I talk to customers, I often say that cybersecurity is a risk decision. Unfortunately, perfect security and perfect business operation do not co-exist, so CISOs and business leaders have to make trade-offs and determine the risk threshold for which they are willing to accept. Charles opined on the CISO role today, saying, “What the CISO became was a risk manager. Today, more often, the CISO is talking to the board on a regular basis. In many industries, you will have a board-approved risk tolerance statement or two that is built on cybersecurity and information security. And it's become a regular conversation. So, it (the role) really has evolved to being a risk manager role. And it has evolved to the role where the board knows you now.”?

?Advice for CISOs: speak the language of the board?

For many newly minted CISOs and security leaders, speaking to board members and other non-technical business partners will be a new muscle that requires practice and intention. Charles offered some sage advice on this, saying, “This is Charles' personal view. Boards really want to hear three things. They all want to understand if the company is within risk tolerances, and if not, why? They want to have a sense of what the threat landscape looks like. Boards really do want to understand about the stuff that they're reading in newspapers happening to other companies and how you're learning about it and how that impacts your company and your industry and the ecosystem that you're a part of. And then helping them understand the big pieces of your strategy for how you're protecting the firm and where you are in execution of that strategy. You want to give them the key snippets and help them understand.”?

?My conversation with Charles was lively and poignant, given the state of cybersecurity and the challenges CISOs face today. For the full episode and more Afternoon Cyber Tea, visit www.afternooncybertea.com. New episodes are released every other Tuesday and are available on the Cyberwire and most major podcast platforms.?