The Evolving Role of the CISO

The Evolving Role of the CISO

In 2017, 27 billion devices were connected using the Internet of Things (IoT). The International Data Corporation forecasts there will be 41.6 billion connected IoT devices generating 79.4 zettabytes (ZB) of data by 2025. This explosion of connectivity has provided endless new opportunities for companies to grow, impacting everything from new product development to customer acquisition, even in traditionally non-digitized industries. However, with these opportunities comes a high increase in cyberthreats. As the amount of data being generated by a company continues to grow, they become prime targets for information theft.

What is a Chief Information Security Officer?

The Chief Information Security Officer (CISO) role dates back to 1994 when banking giant Citigroup (then Citi Corp. Inc.) suffered a series of cyberattacks, and created the world’s first formal cybersecurity executive as a result. The CISO has since been the executive responsible for protecting an organizations’ proprietary data and intellectual property and managing a?company’s overall security. While in the past the role has been rather narrowly defined along those lines, as the connected devices and the sheer amount of data has increased, the role of CISO has dramatically evolved to taking a stronger and more strategic leadership role.

Specifically: While CISOs were once known solely as the security risk managers, CISOs are now expected to be business enablers of an organization.

The role of the CISO now involves far more than just ensuring regulatory compliance and adherence to ISO standards (although ensuring compliance with applicable regulations and laws is still a big part of the role). They are responsible for a?company’s security strategy?and risk management, assessing the company’s security vulnerabilities, staying abreast of changing technologies, and allocating resources to facilitate the strategy. A?2019 study by 451 Research and Kaspersky?reported 70% of CISO respondents as saying that an emphasis on risk management is a top change in the CISO’s role, and risk management expertise is among the top three skills that CISOs cite as important.

Top Qualities of a CISO

Cybersecurity is a highly dynamic field. The need for rapid, experiential decision making, organized thinking and the ability to strategically communicate to a non-security audience are almost second nature to many CISOs.

In order to truly succeed as a CISO in today’s digital world, here are some top qualities that all CISOs need to possess to excel:

Matchmakers:?It’s integral for CISOs to understand the big-picture mission and to make strategic decisions that align security goals with overall business goals. Executives expect that CISOs are not securing the organization at the detriment of the business but rather to its benefit. With that, it’s important to remember that the power of the consolidated set of technologies and services in our security stack can deliver many benefits to our stakeholders beyond the traditional. The ability to connect our efforts to both tactical and strategic benefits to business operations or even the bottom line that go above and beyond traditional risk reduction is critical to the success of the role, the team and the program overall.

Relationship Builders:?The CISO’s job may seem hyper-focused on security, but success is truly determined by relationships. This may come as somewhat of a surprise, being that security professionals are commonly associated with their technical skills vs. their social skills. Resonating, communicating and understanding the needs and concerns of business units and their stakeholders within an organization is the most crucial aspect of the CISO role. The true power lies in the combined understanding of the needs and challenges faced by stakeholders, security and compliance risks that we need their help with addressing, and the breadth of technical and operational capabilities at our disposal. Stakeholders that we can help today will help our cause tomorrow, particularly those that are commonly allies of security (legal, enterprise resource management, internal audit). True change for the sake of business risk reduction typically comes through the voices of a network of change agents, not only the lone voice of a CISO “punching up.”

Servant Leadership:?Set the strategy, manage priorities at the “epic level” (side note: if you’re not practicing agile, consider doing so), clear a path for your team and guide as required. Don’t manage the details, lead on the outcomes and let the team figure out how they get there. As the team bubbles up risks and challenges, take advantage of your relationships to knock them down, enabling the team to make iterative progress towards the top risks and objectives. As noted above, CISOs no longer have the time to manage every facet of the program but rather, must enable the team to push strategic efforts forward.

Advocates:?At the end of the day, CISOs need to advocate for proper cybersecurity infrastructures that will?actually?protect their organizations. This is no easy feat, as business leaders are often skeptical when it comes to investing funds in cybersecurity when they can’t physically see the threats in motion. CISOs must communicate the importance of quality cybersecurity and advocate for tools that will, as a result, save businesses money in the long run. CISOs must serve as the lobbyists for the security organization, fighting for what’s needed to stay protected under any circumstance.

CISO responsibilities

The CISO is responsible for ensuring the company’s data is protected from any number of threats, including cyberattacks, data breaches, ransomware, and phishing scams—ultimately keeping the business digitally secure, but without such stringent practices that makes conducting business almost impossible. This can often cause friction between other areas of the business. While in most cases the CISO works in tandem with or reports to, the Chief Information Officer (CIO) to achieve the security goals, the CISO’s instincts are to lock down systems and make them harder to access, but the CIO and their team are tasked with making information and applications readily available for those who need them within the organization.

Today’s successful CISOs have a good technical foundation but often have business backgrounds, an MBA, and the skills needed to communicate with other C-level executives and the board. The actual mix of technical and nontechnical skills that a CISO requires will differ by type of organization, size, industry, etc. however, you can expect the job description to encompass any of the following:

  • Security operations:?Key to this role is the real-time analysis of immediate threats and solving issues when issues occur. If there is a data breach, the CISO will undoubtedly be involved in the incident response, including determining what went wrong in a breach, dealing with those responsible if they’re internal, and planning to avoid repeats.
  • Risk management and cyber intelligence:?Keeping up to date with developing security threats, and developing a strategy to tackle the potential security problems that might arise.
  • Advisor to the board:?Keeping the board up to date on the security challenges that might arise from big business moves.
  • Data loss and fraud prevention:?Ensuring employees are trained and educated in the company’s data policies, such as the repercussions of the misuse or theft of company data.
  • Security architecture:?Planning, purchasing, and rolling out security hardware and software, and making sure IT and network infrastructure has been designed with best security practices top of mind.
  • Identity and access management:?Ensuring that only authorized people have access to restricted data and systems.
  • Program management:?Implementing programs or projects that mitigate security risks.

The breadth of information security and its ever-changing landscape and threats means CISO’s must be hyper-aware of developments in the cybercrime world, learning the sophisticated tactics that cybercriminals are using to attack companies. Thanks to the explosion of the digital supply chain, there are more potential network entry points for cybercriminals than ever before, each posing an added challenge for the CISO. As soon as one door closes, cybercriminals find another one, often demanding substantial sums of money in return for keeping the data they get access to private. In fact, some organizations face hundreds of intrusion attempts every day. According to data from?Juniper Research, the average cost of a data breach in 2020 will exceed $150 million. Cybercrime will more than triple the number of CISO job openings over the next five years, with?Cybersecurity Ventures?predicting there will be 3.5 million unfilled cybersecurity jobs globally by 2021, up from one million positions in 2014. Learn how to?avoid the high cost of cyber attacks?in this blog.

How important is the role of CISO?

A?survey from the IDC sponsored by CapGemini?of over 1,000 large enterprise executives across the globe found that both information security, and the people managing it, are regarded as more important than they were three years ago. 69% of non-CISO respondents said information security has increased in importance while 77% reported that the personal influence of the CISO had also improved. 90% of executives surveyed said the CISO is involved in significant business innovation and change decisions, while over 60% said they attend board and executive management meetings.

Furthermore, in the previously mentioned 451 Research and Kaspersky study, CISO respondents were asked whom they reported to which serves as a good indication of how important they are viewed within the organization. 41% – the largest segment – reported directly to the CEO and 23% reported to the board of directors. Even those who did not report directly to the board were sought out for their expertise. It would appear, therefore, that CISOs are seen as critically important within an organization.

Yet, according to a KPMG and Harvey Nash report, only 29% of CISOs believe they’re very well-positioned to deal with security risks.

Despite cybersecurity becoming a far more visible aspect of the modern business, CISOs are often struggling for funding. In fact, in the 451 Research and Kaspersky study, when asked what puts the highest pressure on cybersecurity management, competition for budget (46%) is ranked almost as high as the growth and severity of attacks (49%). High-profile breaches and privacy concerns are not going away, and if companies wish to remain in business, their cybersecurity strategy must be viewed as fundamental to the ongoing success of the organization.

The key to being able to respond quickly and proactively to the automated attacks is through intelligence-driven cybersecurity. Undoubtedly CISOs have their work cut out for them, as they try to stay one step ahead of the criminals. It’s no surprise, therefore, that 91% of CISOs say they suffer from moderate or high stress. In the same?survey from Nominet, 27.5% of CISOs said stress affects their ability to do their jobs. Worse still, almost half (48%) of CISOs say work stress had a detrimental impact on their mental health last year, almost twice as high as 2018 (27%).

While larger organizations are better prepared for cyberattacks than small-mid sized businesses—which may not have adequate information security measures and resources in place to protect themselves—it is still somewhat of an uphill battle for the CISO to stay that all-important step ahead of the cybercriminals. As the role of corporate security becomes more and more critical, CISOs—especially those at larger organizations—often oversee a team of security professionals that work for the company. Smaller firms that are taking cybersecurity seriously may outsource the job to a company that provides managed services. Some companies do a combination of the two.

Future Forecast: Where is the CISO Role Headed?

Traditionally, CISOs focused on security strategy. They worked with stakeholders and direct reports to understand and stack rank risks and related threats, and established and grew programs and capabilities to stop them. Whenever a breach or significant security exposure was identified, their job was to lead the charge in fixing the problem. Now, CISOs need to proactively think about not just security strategy, but long-term business strategy.

In the era of the digital workplace, CISOs must not only focus on preventing threats, but create systems that work for the business and?still?keep everyone protected. Constant innovation, creation and implementation of unique strategies are already part of the CISOs job description. It is about thinking not just about the threats in front of you, but the threats to come, and how to stay ahead of them while keeping the goals of the business at the forefront. Decision-making that ties business strategy and security processes into a firm knot is the only way to stand straight amidst the faced-paced, ever-changing storm of digital services.

The role of the CISO is evolving faster than ever, and becoming the jack of all security and business trades. On Monday, they’re the superheroes keeping the cybercriminals out. On Tuesday, they’re improving the organization’s security posture. By the end of the week they’re C-suite ambassadors and innovating the concept of security, all while delivering positive business value.

As the role continues to evolve and the CISO’s depth and breadth of knowledge regarding the business, its underlying technology and its core risks, the role will continue to elevate outside of IT and be seen as a peer of the CIO. As enterprises continue to evolve, a growing number of effective CISOs will be asked to inherit enterprise risk-management or infrastructure responsibilities. The future remains bright for the CISO role, as long as we remain focused on truly aligning with the business and managing risk around what truly matters most.

The role of the CISO is clearly evolving in response to the changing business world. In recent years CISOs have made significant progress, expanding their influence and improving the reputation of information security, firmly establishing CISOs as a strategic, business-critical role that is fundamental to competitive advantage. Undeniably, one of the biggest strengths of today’s CISO is to have a finger firmly on the pulse of changes in the cybercrime world, and the ability to adapt quickly to new threats before the criminals are able to do serious damage.?

要查看或添加评论,请登录

社区洞察

其他会员也浏览了