[BreachExchange] How a CISO’s Executive Role Has Changed

Thu Feb 25 11:08:36 EST 2021

https://securityintelligence.com/posts/how-chief-information-security-officer-skills-have-changed/

Ever since the role of the chief information security officer (CISO)
was first created in 1994, the position has been treated like the
pesky youngest sibling in the C-suite family. In the office, the CISO
wasn’t given the same voice as the chief information officer (CIO) or
other executives. During meetings of the board of directors, the CISO
often wasn’t given a place at the table, and digital defense wasn’t
treated as highly important for the business.

Now that CISOs have greater access, directors and other C-suite
members are more willing to see that their domain isn’t a separate
entity but needs to be part of overall business plans. So, how has
this change come about? How did the CISO come to gain a seat at the
table with the rest of the C-suite? And, what do they need to do in
order to succeed there?

CISO Brought to the Fore

Nowadays, entities across industry verticals have suffered major data
breaches or been the victim of high-profile ransomware attacks.
Because of this, cyber defense has taken on a new urgency. At the same
time, there has been a slow shift of the duties of the CISO. Twenty
years ago, the typical CISO was someone who had good tech skills first
(often coming from an IT role) and could understand basic defensive
tools.

“Now, a good CISO will have regular access to the board and be known
around their organization for their advocacy of infosec, good
leadership and their knowledge of how tech can be used to help the
business,” Mark Ward, senior research analyst at the Information
Security Forum, says in an email interview.

What Makes the CISO Unique in the C-Suite?

All of these acronyms for different C-suite titles can be confusing.
Most people know the terms ‘CEO’ and ‘chief financial officer,’ and
their job descriptions are consistent. There is no question about who
is in charge of finances or overall leadership. But when you get to
tech leadership, the titles become a little murkier.

In addition to CIO and CISO, businesses may have chief technology
officers, chief security officers and chief data officers. There is
overlap, and not all companies will have each of these positions.

The CIO is in charge of IT, while the CSO handles all security across
the board, physical and digital. The CISO handles data, systems and
network security. Originally this position was created to handle
cyberattacks against a financial entity, but today, the role of the
CISO is much more complex. The CISO’s responsibilities include leading
the team handling real-time threats and mitigation of attacks,
overseeing the security architecture and the protection of the
corporate infrastructure, and implementing security policies and
management designed to foresee and address risk. These can include
security awareness training and creating repair protocols.

New Soft Skills

Where it started out as a tech-centric position, the CISO role has
begun to change. Now, soft skills are as important as technical
skills. According to research from Information Security Forum, today’s
CISO needs to be a good manager and have people skills, as well as
seeing how cyber risks fit into business overall. They need to
understand the goals of the wider business and how those intersect
with security.

“It is a position that has become defined by personality, history,
practice and the demands of individual organizations, rather than
through clearly defined policies and procedures,” the research notes.
“Next-generation CISOs will need to respond to these forces and take a
keen interest in a wide variety of topics to stay at the top of their
game.”

Many CISOs will have an engineering or IT background, which is
important for the architecture and infrastructure side of the job, but
good defense is also about building partnerships. Practicing good
security hygiene doesn’t come naturally to anyone, so it is the CISO’s
job to be a teacher and mentor. They should be able to talk openly
with everyone from the company president to the front desk
receptionist and everyone along the supply chain. A standoffish CISO
will discourage employees from coming forward to report a mistake
(like clicking on a link) that could lead to a major cyber incident.
Also, the CISO must build a solid knowledge base of every step in the
business structure. The systems they oversee should run in tandem with
other parts of the business, not slow down production.

>From Executive to the Board Room

In the past, most members of the C-suite didn’t understand what the
CISO’s role was. CISOs often had to report to other leaders. The CIO’s
job included giving cybersecurity reports to the board of directors,
if the topic was even on the agenda. What changed is the amount of
digital tools in the workplace and the rise of digital risks.

This knowledge comes from seeing the actual damage done by digital
attacks. However, truly effective messaging across the C-suite
requires another one of the CISO soft skills — good communication.
CISOs must research defensive systems that also balance return on
investment and other business goals. They must explain what they see
back to the board in order to get proper funding and support.

The role of the CISO is evolving, just as cyber threats evolve. The
importance of digital defense has finally reached the board table, and
it is up to tomorrow’s CISO to make the most of the change.