We are seeing that in quite a few organizations the Chief Information Security Officer (CISO) role is going through a period of transition. Leading organizations that didn’t have a CISO role are now actively scoping the responsibilities of this role.
To date, the security budget often remains a fraction of total IT spend, and a CISO likely will find himself or herself with key constituents in a range of departments across the organization, from IT to finance.
Within today’s reality, rather than reporting to the Chief Information Officer (CIO), which was common practice in organizations that had established CISO roles early on in the evolution of the CISO, some CISOs now are reporting to the CEO or Chief Financial Officer (CFO).
As the CISO role becomes more integral to the business and the bottom line, it is increasingly common for the CISO also to report into the board of directors or at the very minimum have a dotted line to the board.
This evolution illustrates the criticality of the CISO role and its move to a business enablement position. For example, in the event of a security incident that can directly impact revenue and reputation, the board requires an executive who understands business and security. Someone who can qualify and quantify risks in business terms and act accordingly.
As the CISO lifecycle continues we will continue to see a clustering of responsibilities in a single role of the CISO. We are already seeing physical security which has until recently been its own domain now part of information security. As the CISO role becomes more business oriented these groupings are increasing with the security, risk and privacy better viewed holistically.
At organizations, CISO are evolving to balance risk and business. To do this today’s CISO has a hybrid of skills. They have to effectively communicate with the board and managers across business units.
This next generation CISO is able to “Run Security as a Business.” In this respect, a CISO works with the business to facilitate innovation and growth. To success, for today’s CISO communication is the key.
CISOs need to be able to deliver the right message to secure the proper investment to make their new role a reality and success. CISOs need to present in a non-threatening manner the challenges while providing the solutions in business terms. CISOs need to grow from subject matter experts to business advisers who help the C-suite on how to improve business and associated revenue in a secure manner. Today’s CISO is a leader and a facilitator.
Rather than thinking of cybersecurity only during a breach, CISOs need to incorporate these matters within business decisions made by the board, whether they touch on mergers and acquisitions, or new product launches. Security must be a part of these decisions just as legal and financial issues.
Another fact is that cybercrime isn’t going to go away anytime soon and security will continue to be at the forefront for the foreseeable future. With breaches and cybersecurity incidents of on the rise, CISO will have the ability to affect change on par with changes implemented by the CFO, CIO and other key executives.
I would encourage organizations, as is the case today, to continue to include the CISOs as key business partners. Rather than security being a priority only among information security specialists within the organization, it is the CISO’s role to ensure that all staff members are aware, responsible and accountable for the security that touches their jobs.
This is imperative to the continued health of the business. Communication is now a cornerstone of the CISO role. CISOs need to be “Security Communications Experts,” improving cyber security literacy across the C-suite.
CISOs are now evolving from a contributor to a “Business Thought Leader,” from a Data Protector to “Risk Manager,” from an Enforcer to an “Educator” and last but not the least from a backstop to a “Trusted Advisor.” Today’s CISOs enables business and boosts the bottom line.