Now that cyber security is finally acknowledged as a bona fide enterprise risk, CISOs are being tested to stretch beyond their technical roots and embrace a role that demands the full range of leadership and management skills exemplified by others in the C-suite.
An increasingly complex threat landscape coupled with an active regulatory climate has elevated security issues to the highest echelons of corporate management. At the same time, companies are venturing deeper into digital transformation, shifting critical business processes and revenue opportunities online, which requires proper safeguards.
The upshot: IT security leaders have had to embark on a transformational journey of their own, evolving from technical implementers to stewards of enterprise security strategy across lines of business and within the top executive ranks.
Many liken the shift to the metamorphosis of the CIO role over the last couple of decades as information technology took root as the foundational building block of business.
“In much the same way, the CIO role changed as business got more immersed in new technology, the CISO is now taking a much more active role,” says Bill Brown, senior vice president and CISO at Houghton Mifflin Harcourt, who has also served as a CIO. “Digital transformation has a huge impact on data and the security and privacy of that data. As a result, the CISO role needs to move front and center to enable the business to act on security and privacy by design.”
The irony is the role now moving to the frontlines didn’t exist a couple of decades ago and is still somewhat of a rookie position in many organizations. In fact, while the 2017 State of the Cyber Security Study released by the ISACA uncovered an increase in the CISO ranks--65% of companies now have a CISO, up from 50% in 2016—the research found that in many cases, the bump could be tied to a simple title change as opposed to bringing in talent with more sophisticated security and management experience.
But with vastly bigger reservoirs of data to protect and in light of an increasing connected enterprise, CISOs need to move beyond the role of technical enforcer and compliance monitor to be aligned more closely with the business and manage information risks at a more strategic level.
“I call it the CISO mullet,” Brown explains. “In the past, the CISO was looked upon as an enforcer, making sure products passed through a staged gate and telling people what not to do. Now the role has changed to one of an enabler so CISOs have to figure out how to play with other partners and IT to go further, faster.”
Faces of the New CISO
Security professionals ready to step into a redefined CISO role should prepare for a range of new responsibilities. A Deloitte report identified what it dubbed the four faces of the new CISO: Technologist, responsible for guiding the design and deployment of security technologies and standards; Guardian, charged with monitoring the effectiveness of the security program, processes, and controls; Strategist, tasked with aligning business and IT security standards; and Advisor, helping to identify cyber risks and engaging the organization and key executive stakeholders to increase security awareness.
As part of the new agenda, CISOs will need to:
Foster IT security/business alignment
It’s been a CIO mandate for years and now it’s hit the radar screens of CISOs. Instead of the narrow view of cyber security as a technical issue, CISOs need to take a higher-level risk management approach, working with the business to sync security operations with key business objectives while developing an understanding of what data is critical and the overall risk if lost or compromised.
According to the Deloitte report, 90% of CISO respondents have a desire to improve the strategic alignment between the security organization and the business, but close to half (46%) are concerned about their ability to achieve that goal. The reason for their reticence: Most ascending to the CISO spot hail from traditional tech-oriented roles, potentially responsible for maintaining hardware or developing software, or have been in the weeds overseeing compliance-related activities and threat detection and remediation. Many also lack pertinent business development and management experience, which limits their ability to communicate strategically with the business as opposed to talking security bits and bytes.
Polish up board-level communication skills
It’s not just about an ability to communicate successfully with the business—CISOs also need to be able to talk about security issues at an executive level, with both the C-suite and boards of directors. This requires developing a whole set of new competencies, from listening skills to business acumen, to ensure a seat at the executive table. Many CISOs are heading back to school to get the relevant training: A Forrester Research study of Fortune 500 senior security leaders found that 45% with graduate degrees now have an MBA.
“CISOs need to have charisma, presence, and communications skills,” says David Bradbury, chief security officer for Symantec. “They need an ability to understand the importance of human relationships to their success and to be able to translate business requirements into cyber security needs.”
Understand risk in new terms
Of course, CISOs will still spend time overseeing security implementations and managing responses to specific cyber incidents. But they also need to foster a shared enterprise risk strategy, which includes the upside of leveraging security for competitive advantage.
“CISOs are now being elevated into conversations that traditionally were the province of the HR exec or the chief investment officer and they need to be able to contribute accordingly,” says Symantec’s Bradbury. “That means, not just talking about risk reduction, but how to leverage cyber security as a differentiating strategy for the company and to foster trust in the brand.”
An increasingly dangerous threat landscape makes it more vital than ever to bridge the communications divide that’s grown up over the years.
With the dramatically changing IT landscape, protecting employees, customers, partners and their data is now much more complex. Here is what you need to know.
If you found this information useful, you may also enjoy:
We encourage you to share your thoughts on your favorite social platform.