Universal Aspects of the Evolving CISO Role

Currently, many of us security professionals are sheltered in place working from home, managing our security teams remotely as we help our organizations find their path forward in the new world COVID-19 has created. During this day-to-day grind, over the last eight weeks, I found time to discuss with peers how we believe our jobs as CISOs are adapting to meet the challenges of this pandemic. It’s with these discussions in mind; I felt it was crucial to point out that even as the CISO job function may change, there are universal aspects of the role that many of us believe are constant. The following are several tenets CISOs embrace, which will continue to help them and their organizations meet the demands of a post-COVID-19 world. 

1.     Change is an Opportunity – One of the first aspects is focused on managing change. It's essential to accept that today’s turmoil will pass, but hopefully, we will return to some type of new normal. CISOs are used to leading in dynamic environments where change is one constant they expect, so it is vital to continue viewing today’s changes as new opportunities and not negative influences. This mindset helps reduce the stress of the job, and it is also useful to identify gaps or new initiatives to improve the current security program. CISOs accept this mindset as part of their roles strategic approach to managing a security program and use it to partner with peers and stakeholders to distribute risk and develop resilience in support of business operations.  

2.     Flexibility is Cyber’s Creativity – CISOs manage enterprise-level risk where the lines are blurred between what's acceptable or not, and doing this well requires flexibility. Just as “change” is an opportunity for CISOs, “flexibility” allows CISOs to be creative, and being willing to compromise provides another resource to reduce the stress of this demanding role. Part of having this flexible approach to the CISO job is embracing the concept that the risk CISOs manage is owned by the business due to decisions made outside of their control. With that said, CISOs are still accountable for understanding these risks and collaborating with stakeholders, peers, leadership teams, etc. to compromise and find a middle ground for remediation that is both acceptable for the business and meets security requirements. 

3.     Cybersecurity is a Community Effort – CISOs understand that to provide their organization a mature security program requires a community effort. Cybersecurity is more than just a CISO and a security team; it is the implementation of strategy using technology, people, policy, frameworks, etc. across all aspects of the business to govern risk and reduce the impact of incidents on current business operations. Successful CISOs are those that build teams with diverse backgrounds and skills. Then, with those teams, they engage their company’s internal community and its business culture to build trust and educate employees on the value the security team provides the business. Developing the “cybersecurity is a community effort” mindset requires CISOs to be evangelists to employees, business unit leaders, executive teams, boards of directors, and trusted vendors/partners. CISOs use the “community effort” to build coalitions within the organization where the security program and its services are recognized as trusted company resources.

4.     A Long View is Required – The CISO position is a continuous effort; it's one where incumbents are tasked to be available, any time day or night. There will always be incidents, risks, new initiatives, new regulations, etc. and just as CISOs feel they are getting things completed with room in their daily schedules to plan and be proactive, the job steps in and fills it up. Cybersecurity is a discipline that operates in a continuous lifecycle, and the CISO role is one as well. To manage this challenge, CISOs have developed the “long view” where they pace themselves at work and leave room in their schedules for self-care to manage stress. They plan both day-to-day operations and multi-year initiatives to support the business and, when possible, delegate many of the day-to-day operations to their teams for professional growth. They partner with stakeholders to implement long term strategies to enhance the business and then continually review their whole approach making adjustments to their plans when needed. 

5.     Willingness to accept Help – Cybersecurity is a career field that is continuously changing, and it's impossible to know everything. This field, with its technologies, services, regulations, and opposing threats, is very dynamic, which exacerbates the need for current information. CISOs have adapted to this tumult by creating and leading teams of diverse skills and experience to protect their organizations. However, even with this hard work, there will be times as the senior security leader, CISOs will reach out to peers or the community for help. I envision this aspect as the willingness to collaborate and reach out to stakeholders, peers, partners, etc. to find information. CISOs know they don’t need to have all the information, they just need to build a reliable team and have a network and community they can rely on to assist their company when required.

6.     Cybersecurity is not just Technology – This final aspect is how CISOs approach their job with an understanding that providing excellent security to the business is more than technology; it's actually about business value. This value measures the cost of a security program, and the supposed benefits from its deployed technologies/services against the impact on business operations, actual risk reduction, and employee experience. This value measurement is continuous, and it's the critical aspect CISOs develop metrics on for the maturity of their efforts and how well they are aligned to current or future business initiatives.

I envision these aspects of the CISO job are some of the things that make the role unique. No matter how a business may change its CISO role to meet new post-COVID requirements, some versions of these approaches to managing risk and leading a security program will always be present. With that I welcome input from our community, I know there are other aspects of this role that I could have included and I look forward to hearing from everyone your insight as we all walk this new path together.   

 ***In addition to having the privilege of serving as a Chief Information Security Officer, I am a co-author with my partners Bill Bonney and Matt Stamper on the CISO Desk Reference Guide Volumes 1 & 2 and the author of a new book, The Essential Guide to Cybersecurity for SMBs. For those of you that have asked, all three are available in print and e-book on Amazon. To see more of what books are next in our series please visit the CISO Desk Reference website.