Today’s CISO: How The Role Has Evolved

Uploaded on 2023-06-29 in NEWS-Cybersecurity News, FREE TO VIEW

The modern-day Chief Information Security Officer (CISO) has developed with the ever-changing cyber threat landscape. The siloed CISO should now be a thing of the past, as they are fundamental to organisational business decisions.

CISOs are integral to a business and are now entitled to a seat at the boardroom table. While business demands are intensifying, the role of the CISO is becoming a transformational one, creating a value-centric security architecture to mitigate both cyber and business risk. 

Protecting an organisation from cyber threats no longer falls on the CISO’s shoulders alone. It’s a collective responsibility spanning across the entire organisation, starting at the top with corporate leadership and extending down to every level of the enterprise. Gartner forecasts indicate that by 2026, more than 50% of C-level executives will have performance requirements related to cyber risk within their employment contracts. Expected new SEC regulations will also mandate publicly traded organisations to disclose their cybersecurity governance efforts, particularly the Board’s oversight of cyber risk within its larger business strategy. Now more than ever, positioning CISOs to serve in the capacity of a transformational leader is critical to enterprise health. 

Why Cybersecurity Is Top Of The Priority List

The transformational CISO is the bridge between cybersecurity and the C-Suite. With that said, they must be able to effectively articulate the link between cyber incidents and business disruption in a way that resonates with various stakeholders of the organisation. This requires a holistic understanding of cyber risk’s three fundamental tenets: threats, vulnerabilities, and impact.  

Historically, CISOs focused primarily on the tactical aspects of cyber risk without consideration of the bigger picture. Deploying security tools to identify threats and address vulnerabilities was our bread and butter, but assessing the bigger picture was more of a foreign concept. However, the proliferation of cyberattacks on a global scale has added a myriad of new variables to the equation. From nation state adversaries driven by geopolitical tension to digital extortionists driven by organised crime, the cyber threat landscape is now malicious and highly sophisticated - and it’s evolving as we speak.

In turn, the modern CISO must operate beyond day-to-day operations with a targeted focus on the bigger picture. 

Deciphering the impact of cyber risk requires visibility into the organisation’s “crown jewels.” These are the processes and assets that create the biggest market advantage, revenue growth, and sustained success. Obtaining that level of understanding is only possible through calculated communication with corporate leadership. Instead of merely asking the C-Suite what cyber threats keep them up at night, a more effective line of questioning could be, “What product or service offerings does our market success depend on right now? Which key differentiators are critical to rising above industry competitors?” 

Then, with deeper insight into the organisation’s highest-value assets, CISOs can construct a security architecture designed to safeguard critical processes and minimize business disruption.

Instilling A Security Culture In The Team

The transformational CISO is responsible for fostering a company-wide culture of cyber resilience where all employees play a role in safeguarding the organisation. However, generating that collective cannot be accomplished through static engagement and one-size-fits-all training that lack contextual awareness. It compares quite nicely to the challenges of parenting a teenager. Just because we know what’s best for our kids doesn’t mean they will always do what we tell them. But if we can effectively illustrate the value behind our advice - and that we’re offering it with their best interest in mind - there’s a far better chance it will translate to positive action.  

The same goes for CISOs tasked with building a culture of cyber resilience. We can’t expect standard sets of policies or routine training to automatically translate into 100% staff-wide security compliance. For internal engagement to resonate, it must be scaled to the individual end user and designed with personalisation in mind – offering valid reasoning that a non-technical workforce can understand. When given a paved road of proven protocols to follow, employees will be more inclined to follow protocols and keep the organisation safe. Compounded at a macro level, it creates a dynamic where security awareness is ingrained into day-to-day workflows as part of an overarching company culture. 

How To Succeed As A CISO

As a CISO myself, I’ll be the first to acknowledge that engaging the C-Suite on cybersecurity matters isn’t always smooth sailing. I once met with a CFO to secure her buy-in for a particular security business case we wanted to adopt. Just a few minutes in, she stopped me and said, “Frank, we get it. We know our cybersecurity measures need to be top of mind.” For a fleeting moment, I began to feel the meeting was headed in the right direction.
Except then came the dreaded “B” word. She continued, “BUT, what we really want to know is ‘Are we spending too much? Are we spending too little? How are we doing compared to our industry peers?’” 

If I wasn’t prepared to address her concerns, the whole business case we were proposing could’ve been derailed -  resulting in unaddressed issues that could our business at risk. These are the kinds of questions that C-level executives are asking their security leaders every day. To effectively answer them, keep these five areas of focus in mind. 

Choose the Right Framework:    Select an industry recognised framework that not only aligns with your organisation’s risk profile, but also demystifies cybersecurity measures to the C-Suite and Board. The NIST Cybersecurity Framework, for example, helps simplify the complexities of security in a way that can be more easily consumed by business leaders.

Measure Your Maturity:    It’s not enough to simply adopt and leverage a security framework. As you implement its various controls, make sure to baseline and measure the maturity of your top security capabilities. That way, progress can be monitored over time. 

Benchmark Against Industry Peers:    An organisation’s level of cyber spend should be relative to its risk profile. But as your maturity improves, identify how the organisation’s security architecture is performing in relation to the sector at large – that can help determine if you’re spending too much or too little. 

Set an Optimal Target:    Organisations on the high end of the maturity spectrum may decide to compare themselves to a more mature industry as a stretch goal. But even if you stay within your industry for comparison purposes, set a maturity goal that is always based on a deep understanding of business risk.

Continuously Measure Effectiveness:    Even with a well-defined framework, maturity model, benchmark, and goal in mind, one key question remains: are you utilizing your limited resources effectively? As organisations deploy, maintain, and operate their security programme, continuous measurements and assessments should be non-negotiable.  

Frank Kim is a SANS Fellow and Instructor and the CISO-in-Residence at YL Ventures.

You Might Also Read: 

What Should CISO’s Look Out For In 2023?:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Browser-Based Social Engineering Trends
How To Back Up GitLab To Prevent Data Loss  »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Kaseya

Kaseya

Kaseya is a premier provider of unified IT management and security software for managed service providers (MSPs) and small to medium-sized businesses (SMBS).

AML Solutions

AML Solutions

AML Solutions offer a full range of Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) services.

AdNovum Informatik

AdNovum Informatik

AdNovum Informatik provides a full set of IT services, ranging from consulting, the conception and implementation of customized business and security solutions to maintenance and support.

Semperis

Semperis

Semperis is an enterprise identity protection company that enables organizations to quickly recover from accidental or malicious changes and disasters that compromise Active Directory.

Swimlane

Swimlane

Swimlane is a leader in security automation and orchestration (SAO). Our platform empowers organizations to manage, respond and neutralize cyber threats with adaptability, efficiency and speed.

MAD Security

MAD Security

MAD Security is a premier provider of information and cybersecurity solutions that combine technology, managed security services, support and training.

NeuroChain

NeuroChain

NeuroChain is an intelligent ecosystem that is more secure, more reliable and much faster than blockchain.

Innovation Cybersecurity Ecosystem at BLOCK71 (ICE71)

Innovation Cybersecurity Ecosystem at BLOCK71 (ICE71)

Innovation Cybersecurity Ecosystem at BLOCK71 (ICE71) is Singapore's first cybersecurity entrepreneur hub.

FortKnoxster

FortKnoxster

FortKnoxster is a cybersecurity company within the Crypto & FinTech space. Our encryption technologies are blockchain integrated.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Pacific Global Security Group

Pacific Global Security Group

Pacific Global Security Group offers an intelligence-driven focus on all aspects of cybersecurity for IT/ICS/OT.

Atlant Security

Atlant Security

Atlant Security is a cyber and IT security company offering consulting and implementation services.

Adversa AI

Adversa AI

Adversa's mission is to build trust in AI and protect AI from cyber threats, privacy issues, and safety incidents.

RiskSmart

RiskSmart

RiskSmart empower risk, compliance, and legal teams with a tech-led and data-driven platform designed to save time, reduce costs and add real value to businesses.

WinMagic

WinMagic

At WinMagic, we’re dedicated to making authentication and encryption solutions that protect data without causing user friction so that everyone can work freely and securely.

Rakuten Maritime

Rakuten Maritime

Rakuten Maritime is your trusted partner in maritime cybersecurity, offering comprehensive and proactive solutions tailored to every stage of a ship’s life cycle.