My 2025 Non-Prognostication

(This article was originally posted on December 17, 2024, on my Enabling Board Cyber Oversight? blog series as My 2025 Non-Prognostication)

Introduction

I’ll leave all the 2025 prognostications to those more qualified and those who think they are. This post is simply a reflection on Enterprise Cyber Risk Management (ECRM) and the Chief Information Security Office (CISO) role as we enter 2025.

I’ve been immersed in privacy, security, compliance, and risk management for most of my 35+ year career and deeply steeped in cybersecurity and compliance for the last fifteen years since I founded Clearwater. (Sidebar: Clearwater continues to be the leading and largest pure-play cybersecurity and compliance provider to the healthcare industry. Among its many awards and recognition, Clearwater was recently named the recipient of Modern Healthcare’s 2024 Best in Business Awards in the Cybersecurity category. Of course, I am proud of what we started in 2009 and what the new leadership team has built since 2018. Thank you, Steve Cagle, MBA, HCISPP, CHISL, CDH-E , Jon Stone, MPA, CRISC, HCISPP, PMP , Baxter Lee , John Howlett , Dan Pruyn, HCISPP , Nicole Dowsley , Jon Moore MS, JD, HCISPP , and Brian McManamon , and all the Clearwater colleagues who work so hard every day to create value for Clearwater’s clients.)

The Problem and Root Causes

Getting back to my reflection and my last fifteen-year immersion, while not exactly a news flash, I’ll state it anyway: ECRM and cybersecurity are still woefully immature across all industry sectors (especially healthcare) and in most organizations. In healthcare, OCR enforcement data continues to show that 9 out of 10 organizations have not conducted the most fundamental, foundational step for any cybersecurity strategy -- comprehensive, enterprisewide risk assessments. I do not have the data, but I expect the same is true across all industries. We are failing at cyber risk management.

I’ve come to believe that the three primary root causes of the mess we are in are:

1. Risk illiteracy
2. Insufficient C-suite/Board accountability
3. Overlooking ECRM value opportunities

I’ve written about these issues in numerous posts and articles I won’t repeat here. The last item is addressed as the main topic of my 2024 book, Enterprise Cyber Risk Management as A Value Creator | Leverage Cybersecurity for Competitive Advantage.

My Reflection on The Solution

My reflection is about how best to address these root causes. It may sound cliché or trite, but the answer is simple: leadership. More specifically, I mean a change in CISO leadership. I wrote about a similar evolution with the Chief Information Officer (CIO) role in a post entitled, From Cyber Guardian to Boardroom Luminary – A Personal Story About CIO Evolution Parallels, with Career Advice.

As I stated at the outset, I am not making any grand prognostications for 2025 because that may be too soon and won’t happen in one year. The Chief Information Security Officer (CISO) role has already undergone a significant transformation in recent years, shifting from a primarily technical focus to a position that demands robust business acumen. This evolution reflects the growing recognition that cybersecurity is not merely an IT concern but a critical component of overall business strategy.

This new breed of CISOs will address risk literacy across the organization, insist the C-suite and board become more engaged, and use ECRM to create tangible, visible business value.

Historical Context

Traditionally, CISOs were tasked with safeguarding an organization's IT infrastructure, concentrating on technical aspects such as network security, firewall management, and intrusion detection. Their primary objective was to protect digital assets from cyber threats, operating mainly within the confines of the IT department. Cybersecurity was an “IT problem.”

The Shift Towards Business Integration

As digital transformation accelerates and cyber threats become more sophisticated, the scope of the CISO's responsibilities has expanded. Modern CISOs are now integral to strategic decision-making processes, aligning cybersecurity initiatives with business objectives to manage enterprise risk effectively. This shift necessitates a deep understanding of business operations, risk management, and regulatory compliance.

Key Drivers of the Evolution

1. Increased Regulatory Pressure: With the proliferation of data protection laws and industry-specific regulations, CISOs must ensure compliance, necessitating a comprehensive understanding of legal and business implications.
2. Cybersecurity as a Business Enabler: Organizations recognize that robust cybersecurity measures can provide a competitive advantage, fostering customer trust and protecting brand reputation. CISOs, therefore, play a pivotal role in driving business growth through secure digital initiatives.
3. Board-Level Engagement: CISOs increasingly report directly to CEOs or boards of directors, reflecting the strategic importance of cybersecurity. This elevation requires CISOs to communicate complex security issues in business terms, facilitating informed decision-making at the highest organizational levels.

Implications for CISO Skill Sets

The evolving role of the CISO demands a diverse skill set that balances technical expertise with business leadership. Key competencies now include:

• Strategic Thinking: Ability to align cybersecurity initiatives with business goals.
• Risk Management: Proficiency in identifying, assessing, and mitigating risks that could impact business operations.
• Regulatory Knowledge: Understanding of relevant laws and regulations to ensure compliance.
• Communication Skills: Capability to articulate cybersecurity concepts to non-technical stakeholders.

Examples of Business Executives in CISO Roles

1. Phil Venables at Google Cloud: Phil Venables, who became the CISO of Google Cloud in 2020, exemplifies this trend. With a robust cybersecurity and business leadership background, including previous roles at Goldman Sachs, Venables brings a strategic perspective to the CISO position, aligning security initiatives with business objectives.
2. Rinki Sethi at Twitter: In 2020, Rinki Sethi was appointed Vice President and Chief Information Security Officer. Her career includes leadership positions at IBM and Rubrik, where she combined technical expertise with strategic business leadership, emphasizing security integration within the broader business framework.
3. Michael McNeil at McKesson: As Senior Vice President and Global CISO, McNeil is responsible for enhancing and overseeing McKesson's information and operational technology security strategy. With an extensive background in cybersecurity and significant business experience in the healthcare industry, he has held senior leadership positions at Royal Philips, Medtronic, Liberty Mutual Group, Pitney Bowes, and Reynolds & Reynolds, demonstrating his ability to integrate security within broader business frameworks.

These appointments reflect a broader industry trend where the CISO role is increasingly considered integral to business operations, requiring a blend of technical knowledge and business leadership to manage cyber risks in alignment with organizational goals effectively.

Conclusion

The transformation of the CISO role from a technical guardian to a strategic business leader underscores the integral role of cybersecurity in today's business environment. As organizations continue to navigate the complexities of the digital landscape, CISOs with a blend of technical prowess and business insight will be essential in driving secure and resilient business growth.

I’ll observe in 2025 how many more organizations raise the bar and hire strategic business leaders as their CISOs.

For CISOs

At the end of the post previously cited (From Cyber Guardian to Boardroom Luminary – A Personal Story About CIO Evolution Parallels, with Career Advice), I provided several specific career development considerations, which I repeat here:

1. Find a business mentor in your organization.?Do not choose your organization’s CIO as a mentor, whether you report to them or not. Short of your CEO becoming your mentor, I’d try for the CFO or your COO, who should care a lot about cyber risk exposures and business value creation opportunities.
2. Study, research, and learn the new business qualifications emerging for CISOs.?I recommend researching how the CIO role has evolved over the last four decades since the changes will be similar. Research is being done, and books are being written on the changing CISO role. Some examples are?The Phantom CISO: Time to step out of the shadow,?The CISO Evolution: Business Knowledge for Cybersecurity Executives,?or?So, you want to be a CISO (Chief Information Security Officer): A practical guide to becoming a successful cybersecurity leader.
3. First, consider an MBA, not a Ph.D. in cybersecurity.?I don’t have either, so this recommendation has no inherent bias. I thought about a Ph.D. in cybersecurity but abandoned that pursuit after assisting several Ph.D. candidates with their theses and seeing that most topics remained technical, tactical, and esoteric. That’s not what your business needs more of.
4. Hire a professional coach.?Either directly or through programs like the?IANS Executive Competencies?program,?complete a baseline competency assessment and build a plan of action to learn additional business leadership skills. Engage an accountability coach to guide you.
5. Engage with externally focused business leaders.?Meanwhile, as they say, don’t just stand there, do something! Ship your focus externally to the market and customers you serve. Depending on your organization’s size, nature, and complexity, this may involve connecting with multiple lines of business leaders. I’m reminded of the classic Harvard Business Review article published twenty years ago,?Staple Yourself to an Order, as one of the best ways to understand and see your business through your customers’ eyes.