Today’s CISO: How The Role Has Evolved

The modern-day Chief Information Security Officer (CISO) has developed with the ever-changing cyber threat landscape. The siloed CISO should now be a thing of the past, as they are fundamental to organisational business decisions.

CISOs are integral to a business and are now entitled to a seat at the boardroom table. While business demands are intensifying, the role of the CISO is becoming a transformational one, creating a value-centric security architecture to mitigate both cyber and business risk. 

Protecting an organisation from cyber threats no longer falls on the CISO’s shoulders alone. It’s a collective responsibility spanning across the entire organisation, starting at the top with corporate leadership and extending down to every level of the enterprise. Gartner forecasts indicate that by 2026, more than 50% of C-level executives will have performance requirements related to cyber risk within their employment contracts. Expected new SEC regulations will also mandate publicly traded organisations to disclose their cybersecurity governance efforts, particularly the Board’s oversight of cyber risk within its larger business strategy. Now more than ever, positioning CISOs to serve in the capacity of a transformational leader is critical to enterprise health. 

Why Cybersecurity Is Top Of The Priority List

The transformational CISO is the bridge between cybersecurity and the C-Suite. With that said, they must be able to effectively articulate the link between cyber incidents and business disruption in a way that resonates with various stakeholders of the organisation. This requires a holistic understanding of cyber risk’s three fundamental tenets: threats, vulnerabilities, and impact.  

Historically, CISOs focused primarily on the tactical aspects of cyber risk without consideration of the bigger picture. Deploying security tools to identify threats and address vulnerabilities was our bread and butter, but assessing the bigger picture was more of a foreign concept. However, the proliferation of cyberattacks on a global scale has added a myriad of new variables to the equation. From nation state adversaries driven by geopolitical tension to digital extortionists driven by organised crime, the cyber threat landscape is now malicious and highly sophisticated - and it’s evolving as we speak.

In turn, the modern CISO must operate beyond day-to-day operations with a targeted focus on the bigger picture. 

Deciphering the impact of cyber risk requires visibility into the organisation’s “crown jewels.” These are the processes and assets that create the biggest market advantage, revenue growth, and sustained success. Obtaining that level of understanding is only possible through calculated communication with corporate leadership. Instead of merely asking the C-Suite what cyber threats keep them up at night, a more effective line of questioning could be, “What product or service offerings does our market success depend on right now? Which key differentiators are critical to rising above industry competitors?” 

Then, with deeper insight into the organisation’s highest-value assets, CISOs can construct a security architecture designed to safeguard critical processes and minimize business disruption.

Instilling A Security Culture In The Team

The transformational CISO is responsible for fostering a company-wide culture of cyber resilience where all employees play a role in safeguarding the organisation. However, generating that collective cannot be accomplished through static engagement and one-size-fits-all training that lack contextual awareness. It compares quite nicely to the challenges of parenting a teenager. Just because we know what’s best for our kids doesn’t mean they will always do what we tell them. But if we can effectively illustrate the value behind our advice - and that we’re offering it with their best interest in mind - there’s a far better chance it will translate to positive action.  

The same goes for CISOs tasked with building a culture of cyber resilience. We can’t expect standard sets of policies or routine training to automatically translate into 100% staff-wide security compliance. For internal engagement to resonate, it must be scaled to the individual end user and designed with personalisation in mind – offering valid reasoning that a non-technical workforce can understand. When given a paved road of proven protocols to follow, employees will be more inclined to follow protocols and keep the organisation safe. Compounded at a macro level, it creates a dynamic where security awareness is ingrained into day-to-day workflows as part of an overarching company culture. 

How To Succeed As A CISO

As a CISO myself, I’ll be the first to acknowledge that engaging the C-Suite on cybersecurity matters isn’t always smooth sailing. I once met with a CFO to secure her buy-in for a particular security business case we wanted to adopt. Just a few minutes in, she stopped me and said, “Frank, we get it. We know our cybersecurity measures need to be top of mind.” For a fleeting moment, I began to feel the meeting was headed in the right direction.
Except then came the dreaded “B” word. She continued, “BUT, what we really want to know is ‘Are we spending too much? Are we spending too little? How are we doing compared to our industry peers?’” 

If I wasn’t prepared to address her concerns, the whole business case we were proposing could’ve been derailed -  resulting in unaddressed issues that could our business at risk. These are the kinds of questions that C-level executives are asking their security leaders every day. To effectively answer them, keep these five areas of focus in mind. 

Choose the Right Framework:    Select an industry recognised framework that not only aligns with your organisation’s risk profile, but also demystifies cybersecurity measures to the C-Suite and Board. The NIST Cybersecurity Framework, for example, helps simplify the complexities of security in a way that can be more easily consumed by business leaders.

Measure Your Maturity:    It’s not enough to simply adopt and leverage a security framework. As you implement its various controls, make sure to baseline and measure the maturity of your top security capabilities. That way, progress can be monitored over time. 

Benchmark Against Industry Peers:    An organisation’s level of cyber spend should be relative to its risk profile. But as your maturity improves, identify how the organisation’s security architecture is performing in relation to the sector at large – that can help determine if you’re spending too much or too little. 

Set an Optimal Target:    Organisations on the high end of the maturity spectrum may decide to compare themselves to a more mature industry as a stretch goal. But even if you stay within your industry for comparison purposes, set a maturity goal that is always based on a deep understanding of business risk.

Continuously Measure Effectiveness:    Even with a well-defined framework, maturity model, benchmark, and goal in mind, one key question remains: are you utilizing your limited resources effectively? As organisations deploy, maintain, and operate their security programme, continuous measurements and assessments should be non-negotiable.  

Frank Kim is a SANS Fellow and Instructor and the CISO-in-Residence at YL Ventures.

You Might Also Read: 

What Should CISO’s Look Out For In 2023?:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Browser-Based Social Engineering Trends
How To Back Up GitLab To Prevent Data Loss  »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Infortec

Infortec

Infortec provide consultancy and solutions for the protection of digital information and the management of computer resources.

Dell Technologies

Dell Technologies

Dell Technologies Consulting Services enables a highly resilient business amidst the proliferation of cloud-based IT services and constant threats to your most critical information.

Portuguese Institute for Accreditation (IPAC)

Portuguese Institute for Accreditation (IPAC)

IPAC is the national accreditation body for Portugal. The directory of members provides details of organisations offering certification services for ISO 27001.

Connectitude

Connectitude

Connectitude IIoT Platform ™ is a complete solution for industrial IIoT.

Rogers Cybersecure Catalyst

Rogers Cybersecure Catalyst

Rogers Cybersecure Catalyst helps Canadians and Canadian companies seize the opportunities and tackle the challenges of cybersecurity.

VIQU Recruitment

VIQU Recruitment

VIQU Recruitment was formed with the primary focus of providing 'Smarter People Solutions' to the UK’s professional IT & Cyber Security markets.

Global Accelerator Network (GAN)

Global Accelerator Network (GAN)

Global Accelerator Network are a highly curated community of independent Accelerators, Partners and Investors.

Munich Re

Munich Re

Munich Re is a leading global provider of reinsurance, primary insurance and insurance-related risk solutions including Cyber.

SDG Corp

SDG Corp

SDG is a global cybersecurity, identity governance, risk consulting and advisory firm, addressing complex security, compliance and technology needs.

MCPc

MCPc

MCPc improves the security and well-being of our clients. We protect data, manage the complexity and sustainability of technology, empower employee performance, and ultimately reduce business risk.

SignalSEC

SignalSEC

SignalSEC provides vulnerability intelligence, malware analysis, penetration testing and associated training services.

Safetech Innovations

Safetech Innovations

Safetech Innovations is a team of cyber security experts, always at your service. We use human and cyber intelligence to help your business in uncertain times.

Xceptional

Xceptional

Xceptional is a multi-award-winning technology services firm that celebrates the unique strengths of people with autism.

RAND Corporation

RAND Corporation

The RAND Corporation is a non-profit institution that helps improve policy and decision making through research and analysis.

Elba

Elba

Employee security needs to be reinvented. SaaS security needs to involve end-user and awareness needs to be actionable. Meet elba, the 5-in-one cybersecurity hub with no compromises.

Defence Labs

Defence Labs

Defence Labs is a cybersecurity company specialising in cost effective penetration testing for small-to-medium sized enterprises.