The role of the CISO has evolved greatly over the years. Over the past 20 years leading security practices across multiple industry verticals for large Fortune 500 organizations, I have observed first hand its various shifts. The natural next question is what the next phase would look like. More importantly, will the CISOs of today be able to keep up with these challenges in the future?
Foremost we have to always be aware that we are not dealing with amateur attackers. We are dealing with well-funded organized crime. Well-funded nation states. Groups that have political agendas. They will be able to use information to influence political designs.
There will be a lot of investments in security analytics and emerging technologies. Just as tech can be used for good, those well-funded groups can also use them for criminal activities.
What CISOs need
So how can CISOs ensure they are well-equipped to take on both the present and future challenges of their job?
I have met many good CISOs who are passionate about security and information. From what I have seen, most understand the importance of where their data is and how to protect it. They understand the importance of privacy laws and regulations influencing this information around the world.
Their biggest challenge, I believe, is building a culture in the organization where each person understands his or her role with respect to cybersecurity. To do this, they must establish a security program supported by executive management, and this appropriately funded. What comprehensive road map can they use so that they could determine pieces that are missing in their overall security programs, and consequently fill those gaps?
In the book I recently published, CISO COMPASS: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers, I identify seven components of a cybersecurity program that all need to work well. Originally developed in the 1980s to measure organizational effectiveness, these 7 factors can be applied to cybersecurity leadership today to ensure the CISO is leading an effective program. The 7 factors are strategy, structure, style, skills, staff, systems and shared values. This is not introducing another framework, but rather applying sound management practices to leading cybersecurity to ensure the CISO is taking a holistic approach.
They need to work well, and to work well together. For example, you need to have a good security strategy that aligns with the business. When I say that, your program needs to understand the services that the company is providing, and the innovations it wants to offer.
If any of these components is not working well, you will have a deficiency in your program. For instance, you might have a sound strategy and a good organizational structure, but if you do not have good systems to support the CISO, a good control framework or a risk assessment process, then it will not matter how good your strategy is on paper or how well your organization is structured.
A look back
These days we take for granted the fact that the CISO is an important player in the organization, and that he or she has the ear of the executive leadership. But what were the events that led up to this shift, and what can the evolution tell us about where CISOs are headed?
Sometime in 1995, when the field was new, our notion of security was that it was a purely a tech function. It was all about the administration of user IDs, passwords and authorization. Around 2000, we moved into the compliance era. This was when many of the security laws were written. There was a lot of concern over how information, if it was exposed, could be a big risk for the organization.
By the mid-2000s, we moved into how we would be able to manage that risk. The years 2007 to 2016 comprised another period, when people started using mobile devices as they went about their work, migrating information and participating in threat intelligence.
After 2016, it became clear what the consequences of a breaches could be. Events like WannaCry and Petya have showed that such attacks could affect organizations to the tune of hundreds of millions of dollars. And so cybersecurity stared to move in earnest to the board rooms.
This brings us to where are today.
What it takes
At the heart of a good security program is its main driver, the CISO. The CISO has to have a base level of technical skills. They need to understand the capabilities of the technology.
But I’m a big believer in soft skills. CISOs, after all, will be reporting to the board, working with executive teams and end users. The CISO needs to be a good listener, presenter and negotiator and team builder. The CISO has to have empathy, knowing where the other person is coming from.
Because the challenges are constantly evolving, the successful CISO has the desire to be a lifelong learner, absorbing as much of what is going on as possible. For example, I do have a lot of certifications – I have plenty of suffixes after my name. But I did not do that for the sake of the letters. I took them so that they would force me to learn at a deeper level than I would otherwise have. Don’t we study more when there’s a test we have to pass, instead of just reading about it? That, for me, has always been a motivator.
Character is another must. Do they seem the kind of person that wants to learn with the team, and is easy to get along with?
Being named Chicago CISO of the Year for 2016-2017 made me look back to the odds I had faced and surmounted over the past 20 years. Crucial to this I think was my success at translating cybersecurity technology into business terms and helping people understand it. I was able to lead successful cybersecurity programs.
I also network a lot and thus also share a lot of information through presentations, articles, and of course my books.
Over the years I have learned many things. For instance, when you work with global organizations, there isn’t a one-size-fits all in terms of team sizes, funding, available technology. You have to be pleasantly surprised, though: Sometimes the smallest teams have the talent to outperform other teams in different countries.
I know too that my personal experiences are not enough: I spoke with some 75 top security leaders who have established standards for cyber, themselves award-winning professionals. They were happy to share their learnings for my latest book to amplify the cybersecurity leadership roadmap. It’s a good feeling being able to help other CISOs navigate the complicated, tricky, ever-changing field of cybersecurity.