The CISO role continues to evolve with new tech, vulnerabilities and threats. While the landscape of what a CISO does is expanding, the good news is that the role is becoming more strategic within organizations which is not a surprise given the current state of affairs.
Information security has morphed from being an unsexy expense to a necessary capability. Without it, organizations remain woefully unprotected against the growing threats of hackers, hactivists, and hacking groups, some of which have ties to organized crime.
In fact, cyberterrorism and cyberwarfare are existential threats to every organization today, irrespective of size or industry. While cyber security will never be the core competency of most organizations – which bad actors are counting on – businesses can help themselves by having the right CISO in place.
Cyber security had humble, tactical beginnings – the firewalls, followed by IDSes, honey pots and more. As hacker tactics evolve, so must an organization’s security fabric. However, a tactical approach to cyber security has proven to be unwise.
Companies must have a cyber security strategy under which technology, processes, practices and people fall. Of course, CISOs should be set the cyber security strategy within the context of what the organization is trying to achieve as a business, what resources it has to protect itself and what the current and desired future state of cyber security are.
On the other, tactical side, are who does what and who’s responsible for what, the tools, plans and processes that bring a cyber security strategy to life.
A CISO should be a strategist with a chair at the executive table who has the people skills to work with other departments well. If so, that person is in a better position to become an enabler versus an obstacle to progress. In short, the CISO should help the business meet its strategic goals in a manner that minimizes the potential risks.
A CISO’s role is also critical to business resiliency. While a solid CISO can’t control what bad actors do, they can help prepare their organization for the most likely threats. That way, when disaster strikes, incident response follows a plan as opposed to descending into chaos.
The CISO and CIO should work closely together at all times since the CIO’s domain has been the launch point for many types of attacks. While there are other tactics, such as phishing and social engineering which extend to all areas of the business as well, the CISO and CIO can work together to create a safer technology stack that is less likely to be compromised. As some of the recent exploits have demonstrated, horrific outcomes can flow from unpatched and outdated software, which is why some vendors are urging their customers to “upgrade” to the SaaS versions of their products.
In a similar vein, cyber attackers are now targeting developers and their environments because doing is less risky than breaching the main IT systems. If they breach the main IT systems, they run the risk of being detected (assuming they haven’t compromised active credentials). Developer environments are less well protected, if protected at all.
CISOs should also work closely with other members of the C-suite in addition to CIOs to ensure that the business as a whole and cyber security in particular remain resilient. Like other C-suite positions, the CISO oversees a dedicated budget.
Like CIOs, the CISO’s time has come to be a business leader. For CIOs, most recently that’s meant helping to enable digital transformation. Since every company is a software company today, the CIO has necessarily had to assume a business leadership role that facilitates the emergence of a digital business.
Similarly, CIOs must lead, also as a servant leader. Historically, CISOs have been in the “no” business and they’ve developed a reputation for it. In fact, that’s why people in other departments, including department heads, may avoid them. It’s easier and less painful to just buy something and ask for forgiveness later than to ask for permission in the first place, but is “permission” really the right way to go?
Smart CISOs have transformed the conversation by making a point of “managing by walking around” – inquiring about what various parts of the business are trying to achieve and asking how they can help. Their goal is to become a trusted partner who helps other departments meet their goals, albeit safely. Instead of saying “no,” they look for safe alternatives that adhere to cyber security policies while meeting the needs of users.
Finally, CISOs can help and should take a leadership role in created a cyber risk aware culture that permeates the business since effective cyber security requires vigilance on everyone’s part. For this reason, CISOs should oversee cyber hygiene training for everyone at the company.
What It Takes to Become a CISO
The CISO is the most senior cyber security role, which means the person must understand cyber security in considerable technical depth but at the same time be able to translate that into something that can be operationalized throughout the enterprise.
They usually grow into their positions, coming up through the ranks over several years as a cyber security specialist or they may have started in IT. Educationally speaking, they tend to hold Bachelor of Science degrees in computer science or IT, though more universities are offering undergraduate and/or graduate cyber security degree programs. Also, CISOs with advanced degrees are becoming more common.
Chief security officers (CSOs) and CIOs can become CISOs if they choose, but they should upskill first. Chief security officers and CIOs tend to lack the deep, technical understanding of cyber security that CISOs possess.