[BreachExchange] The State Of The CISO Role: How Will It Change In 2019?

Destry Winant destry at riskbasedsecurity.com
Thu Mar 21 01:43:19 EDT 2019


There were 184 million ransomware attacks worldwide in 2017, according
to Statista (paywall), and new threats seem to emerge every day. With
the cybersecurity space facing growing risks as hackers become more
sophisticated, the typical C-suite clearly requires a dedicated
security executive — hence the chief information security officer
(CISO) role.

As a relatively new C-suite role, the CISO has traveled a somewhat
bumpy road toward widespread adoption. Not all organizations have
embraced the need for a CISO yet; some have elected to keep all
security initiatives under the chief information officer (CIO) role.
Similarly, organizations with CISOs may box the executives out of
product development, often because a focus on security can reduce
speed to market.

However, as industry awareness of security concerns rises, I've
noticed that businesses are realizing the necessity of hiring a CISO —
and incorporating their expertise into organizational decision making.

The CISO Role So Far

Many enterprise leaders still associate the chief cybersecurity role
with the CIO. But comparatively, the CIO role is broader than the CISO
role — the CIOs I know typically shoulder responsibility for the
entire organization’s infrastructure and information management.

The CISO, on the other hand, typically digs into the nitty-gritty of
security. While CIOs typically determines how to store data, CISOs may
decide how to secure it. They usually develop and manage key aspects
of the organization’s data security strategy, including encryption
standards, access protocols, compliance requirements, incident
response standards, and more.

A focus on profitability presents another point of tension in the
comparison between the CIO and CISO roles. In my experience, when
DevOps teams build new products, they aren’t always incentivized to
obsess over the security of a product they’re rushing to market.

>From the CISO’s point of view, however, the behavior of those product
teams would be reckless — it prioritizes short-term profit over
long-term dangers. If there’s no security leader in the room, there
may be no voice of reason questioning how a product would stand up
against bad actors once it’s in the hands of customers.

In the past, chief security responsibilities typically nested under
the CIO. However, I believe the responsibilities and workload of
network security and broader network operations now surpass the
capabilities of a single corporate executive. It’s time for
corporations to get serious about defining and embracing the CISO

The Evolving CISO Role

CISOs aren’t always the most popular voices in the room because their
concerns can sometimes limit the enterprise’s ability to develop and
launch products quickly. But as organizations increasingly grasp the
need for enhanced security strategies in new offerings, I predict that
employers will start to see their CISOs differently — to the benefit
of everyone, from executive leaders down to the end customers. This
could happen in several ways:

• The CISO role will grow and gain respect. C-suite leaders often
appreciate the urgency of strategic security concerns when new tech —
such as IoT and AI — emerges. But organizations that continue to rely
on CIOs for their security strategies should be wary of the
consequences associated with a single executive who tries to fill the
jobs of two people. Consumers notice security risks too and aren’t
backing away from concerns about their data. PwC found that 71% of
consumers studied would stop doing business with a company for giving
away their sensitive data without permission — and 69% said they
believed companies were vulnerable to attacks. In response to the
concerns of users, I expect that businesses will bow to the pressure
and invest more in cybersecurity expertise and leadership.

• The CISO will become an enabler rather than a disabler. While some
operations folks may roll their eyes at CISOs’ tendencies to slow down
product development, emerging legislation will likely implement
further protections for customer data. When smaller tech players
become aware of the dangers of violating regulations like the European
Union’s General Data Protection Regulation (GDPR), the consequences of
noncompliance could become much more real. As more legislation emerges
to define how organizations use and store sensitive data, I expect
that CISOs will transition in people's minds to enablers — key
consultants in the mandated security elements of development — rather
than barriers to product launches.

• Enterprises will embrace CISOs’ teaching function. Employees can
present a serious risk to the enterprise due to poor security
practices, including by choosing easy-to-break passwords, clicking on
malicious links in phishing emails and working on public Wi-Fi
networks. In fact, Willis Towers Watson claims 66% of cyber breaches
are caused by employee negligence or malfeasance. Two examples of this
are the 2016 FDIC breachreportedly caused by an employee's personal
storage device and a City of Calgary privacy breach that allegedly
originated from an employee email. The CISO’s job should include
developing and communicating security best practices for the
workplace. If we witness employees of major companies harming their
employers through a lack of security knowledge, I expect
organizational leaders to embrace CISOs’ ability to teach safe and
smart technology practices.

While the CISO role may not be as widely accepted as the CIO role yet,
I believe cybersecurity risks necessitate a C-suite security position.
Going forward, I predict profit-minded executives will increasingly
understand that their customers and bottom lines can suffer if they
don’t adequately prioritize security — creating new opportunities for
CISOs to spread their wings in the enterprise.

More information about the BreachExchange mailing list