This blog was written by Grant Bourzikas, previous CISO at McAfee.
With the growth of digital world, we have seen growth in cyberthreats. These range from the annoying to the downright catastrophic. And as these threats evolve and permutate, we have also seen the evolution of a formerly overlooked player: the Chief Information Security Officer, or CISO.
Not only is the CISO’s role changing, but so is his/her relationship to the organization they work in. Where once many reported to the Chief Information Officer (CIO), many now report directly to the CEO or the Board. In their new role, the CISOs also need new skills.
The CISO was first brought into the modern business organization to monitor and analyze potential security risks for the company. Traditionally, CISOs have come more from the technical side, and perhaps did not have to understand the whole business. Leadership and communication or an in-depth business background may not have been a job requirement.
But this is changing.
With the advent of some high-profile hacks (last summer’s Equifax debacle comes to mind — the CEO lost his job), it’s fair to say the top of C-Suite is seeing the importance of cybersecurity. The challenge for the modern CISO is to discuss the business issues causing the security challenges (versus just talking technology). When CISOs bring ideas to the executive table that are put in terms of choices and business integration, it is more likely that issues will be addressed and remediated.
How do the roles of the CIO and CISO differ? They are both involved with Information Technology, but from different angles. The CIO’s charter is to ensure information is available to run the business; the CISO’s charter is to ensure security without affecting availability of business services. This could be an adversarial relationship, but approached properly – from a holistic viewpoint – it can work well.
Every organization handles security differently, based on its needs and internal structure. The CIO has traditionally worked on the management side of a company and is internally and operationally focused. CISOs by their nature are outwardly-focused. In this case, silos can be fatal to a company. Also, since the CISO often reported to the CIO, they weren’t always seen as peers. One perception is that CIOs are seasoned veterans and leaders, and CISOs are younger and more specialized. But as reality changes, neither should be put in a box.
The CISO’s role has become more elevated because of the importance of data management in the Digital Age. We see that without cybersecurity, a company can be seriously compromised, both monetarily and in reputation. For many companies, information and security are not part of the business; they are the business.
The CISO has also become the go-to person when working with cybersecurity vendors. Since there are over 1,000 cybersecurity companies of varying sizes and scope, the role frequently means getting different flavors of software to work together. Once that is accomplished, the CISO also needs to communicate what they are doing to the rank and file of an organization.
As I travel the U.S. and the world, I am frequently asked along on sales calls, and I am often asked questions about strategy, Board of Directors reporting, metrics, Security Operations, and product delivery. However, when I address these topics, I stress that CISOs must look at the business as an organic whole versus focusing on technology. If you force just on technical choices, one might look at cybersecurity as a cost. The right approach to focus on the business and managing the environment, as well communicating how security is important to company success.
In sum, today’s CISO has an important and expanded role in managing a company’s security heath. They should a have a relationship with both the CEO and the Board, so that organizations can accurately assess their threat landscape. A good CISO is also a good leader and communicator, but someone who can influence the organization to be able to drive towards the outcome of ensuring security and availability of systems. In short, the role has evolved from specific function to a vital part of a company’s management.
What’s your view? I’d like to hear it.