[BreachExchange] COVID-19 Gives Rise to Next-Gen CISOs
Destry Winant
destry at riskbasedsecurity.com
Fri Oct 16 10:42:10 EDT 2020
https://securityboulevard.com/2020/10/covid-19-gives-rise-to-next-gen-cisos/
Between managing digital transformation and overseeing security in the
new COVID-19 normal, are we witnessing the rise of next-gen CISOs?
This hasn’t been an easy time to be a CISO. At the end of 2019, the
main focus for many IT and security departments was a smooth
transition into digital transformation. That all shifted in March when
digital transformation turned into a frantic rush to make sure people
had the right setup to work from home and CISOs were charged with
keeping this patchwork of new connections to the network secure.
Between digital transformation efforts and a new COVID-19 normal,
CISOs increasingly need to pivot. Could this be the beginning of a
next-generation CISO?
“As digital transformation drives organizations to become more agile
and responsive, the CISO faces demands to quickly prove their worth as
an enabling force, while protecting the business in an increasingly
turbulent risk environment,” said Steve Durbin, managing director at
the Information Security Forum (ISF), in a formal statement. “Becoming
a next-generation CISO requires an individual to embrace and master
new skills and disciplines, making themselves indispensable,
future-proof and highly sought after.”
According to a briefing paper from ISF, many of the forces responsible
for the evolution of the CISO’s role are coming from external
pressures, such as the rush to digital technology, regulatory
compliance burdens and disruptive events including COVID-19 or natural
disasters. Internally, CISOs also must address changes in maturity
models that measure security. “Increasingly, maturity models are being
combined with risk management as a means of refining approaches to
information security and helping it become more relevant to the
organization’s way of doing business,” according to the paper.
Less Tech, More Talking
Initially, being a CISO was all about keyboards and command lines.
Today, even though the technical connection is still there and still
important, the CISO’s role has evolved so it is more closely linked to
business operations and is more concerned with risks that could
interrupt those operations. Where a CISO once was tightly connected to
IT, they are now expected to have regular access to the board and be
known around their organization for their advocacy of infosec, strong
leadership and knowledge of how tech can be used to help the business.
According to Mark Ward, senior research analyst at ISF, the
next-generation CISO is becoming less about tech and more about
talking. “CISOs are used to having their hands on the keyboard, but
they need to step away from that and get out and about, meet people
and solve their problems,” he said. “It’s becoming a real diplomatic
posting—partly because infosec as a discipline crosses the boundaries
of so many other departments.”
And yet, Ward added, digital transformation has made times interesting
for CISOs because suddenly technology is at the center of everything
an organization wants to do. “CISOs should be well-placed to help with
that, given their history and expertise with technology, and they
should get deeply involved in the digital transformation,” he said.
“That’s tough, as infosec has a reputation of slowing down
change—often for very good reasons—but next-gen CISOs are changing
that view.”
The Role of COVID-19
COVID-19 is, hopefully, a temporary situation, but its impact is going
to be felt for a long time in the infosec community. According to
research from Thycotic, spending on cybersecurity is going to increase
due to COVID-19 as more technology is added.
“I believe this was a path and direction most organizations have been
going down; however, it was always a lower priority,” said Joseph
Carson, chief security scientist and advisory CISO at Thycotic. “With
COVID-19, it has accelerated the investment into both cloud and remote
working budgets, which includes the need for secure remote access and
the ability to access from any location.”
Carson noted the importance of having the next-gen CISO have a seat on
the company’s board, as it helps ensure the technology that supports
remote working environment are also secure by design. “The CISO needs
to be able to speak the same language as the board,” he said.
The novel coronavirus certainly sped up the change whiplashing through
organizations, which has put more pressure on CISOs to remain
relevant, Ward added.
“Right now next-gen CISOs are fairly rare, but I’d imagine a lot of
modern CISOs are going through a rapid evolution to that new status
and developing skills that will reshape how they, and their
organization, view them,” Ward continued. “It also gives them a great
opportunity because the pandemic has galvanized cyber thieves to
bombard organizations with attacks.”
CISOs are masters at handling adversity and can use that knowledge and
skill to demonstrate their growing relevance in new ways. The next-gen
CISO, Ward said, will become known as trusted advisers across the
organization, as their deep knowledge of tech helps them offer solid
advice on technologies that can be used to get projects done so the
organization can move on.
More information about the BreachExchange
mailing list