“The CISO role requires the courage to define a security strategy, the tenacity to see it through, the wisdom to keep learning at every stage, and the resilience and adaptability to drive success.”
-Rick Rowley, CISO and Principal Architect, Digital Velocity
A Chief Information Security Officer – or CISO – has big expectations to meet.
Gone are the days when the CISO’s biggest worry was the lone hacker motivated by individual financial gain and notoriety. Today, sophisticated cyber-criminals are targeting corporations and governments not only for valuable data that they can steal and easily monetize in the cyber underground but also for more malicious reasons, such as corporate espionage, corporate sabotage, industrial sabotage, and cyberwarfare.
The public doesn’t expect a CISO to stop every determined cybercriminal and malicious insider, but they do expect this individual to make it very, very hard for them. When you do experience a breach, they expect the CISO to have a mature response ready that prioritizes the interests of both the enterprise and your customers or third parties.
We feel three major market realities should guide the CISO’s efforts:
Today’s digital businesses extend well beyond traditional technology borders. Many businesses have hundreds of third-party relationships, including channel partners, suppliers, traditional outsourcers, and an ever-growing number of cloud and managed service providers. In an extended enterprise, a business function is rarely, if ever, contained within the infrastructure confines of the company. Staff and customers are mobile and empowered, and the organization must build a dynamic ecosystem to drive digital business among these connected users. CISOs need to recognize that many previous approaches are ill suited to the world of digital business and that they must develop more suitable controls.
Information security will continue to elevate its position in and value to the company. It’s not unusual for CISOs to report to the board quarterly and even have a dotted-line relationship to the board. It’s also becoming increasingly common, especially if a company has experienced a major security breach, for the CISO to report to the CEO, not the CIO. To connect with this level of the organization, CISOs need to communicate in terms of risk management, brand protection, privacy, data governance, third-party management, and other elements beyond their historically technical sweet spot.
Taking more of a business focus in your Security Program will yield better security results. CISOs need to really understand how their business makes money and adopt a risk-based approach to prioritize the essential controls, methodologies, and metrics that will support their organization’s objectives. This will include driving security awareness and governance deep into the organization, aligning business, DevOps, Infrastructure as Code (IoC), and cloud resources with enterprise cybersecurity programs and objectives. This shift of focus is not simple but will result in superior security outcomes to help protect the firm’s sustainable competitive advantage.