Like a mythical hero battling the multiheaded monster medusa, a CISO today is expected to be a clean-up crew, educator, visionary, and implementer. All the while CISO’s are demanded to convey cyber risk to the C-suite, and most damning of all, engage the individuals within the startup/scale-up or established enterprise to improve their security posture.
With such dynamic and evolving responsibilities, modern CISO’s are thrust into a complex pressure cooker, mixing demands for vast interdisciplinary skill sets and the ability to simplify complex problems into actionable solutions. For those faint of heart, the challenges may be too much, but for the special few, those forward-thinking and constantly growing CISO’s the opportunities to improve organizational security are nearly endless.
What was expected of a CISO in the past?
In the 1990s, when the first CISO’s began to take their place among corporate executives and other risk management professionals the expectations were considerably clearer than they are today. The fall guy for cyber attacks, check. Technical voice of caution misunderstood by most, double check. Corner desk but little access or real ability to alter a company’s security posture, another score in the check box. Those were the days. Simpler times where the CISO could pick up some of the slack, but in general not be constantly put on the hot seat.
In all honesty, although this is a highly simplified overview of initial expectations its intentions are clear. From day one CISO’s have had to change their Motus Operandi to meet the needs of an organization that often doesn’t understand the CISO’s role or expectations.
Maybe a CISO is expected to produce some sort of road map to manage InfoSec risks better or better yet, maintain broader compliance for ISO or others. Other may have thought CISO’s should be tasked with managing and evaluating risks of third pirates to proprietary data or even optimizing existing hardware to enhance security.
Tech Target defines a CISO as “The CISO (chief information security officer) is a senior-level executive responsible for developing and implementing an information security program, which includes procedures and policies designed to protect enterprise communications, systems, and assets from both internal and external threats.”
Factors that change the job description
Between the quickly changing threat landscape, personalized organizational risk factors, and the vastly complex compliance structure demanded of strategic enterprises the expectations for a CISO have expanded exponentially.
No longer can a CISO be siloed into managing just one cyber risk element. More than ever before, CISO’s are expected to be cyber risk evangelists and educators, incident responders, and corporate communicators.
For many, the impression is that today’s CISO is more like a juggler tossing flaming incident after flaming incident into the sky, attempting to manage one fire before the next one dominates the scene.
CSO Online divides the core responsibilities into a few groups including:
- Cyber risk and intelligence
- Forward-facing risk assessments and policies to mitigate evolving threats
- Data loss prevention
- Ensuring staff and contractors don’t steal or compromise IP
- Program management
- Instead of waiting for the next devastating attack, build the core programming to keep your data safe
- Security operations
- Understanding the most timely threats and cyber risks and mitigating them in real-time
- Organizational governance
- Ensuring an organization consistently maintains established industry best practices for security implementation.
Billy Spears and Matthew Rosenquist enlighten the conversation
Before 1994, the idea of a CISO was a pipedream. In the nearly two decades since, the CISO’s role has evolved from seamlessly blending basic security monitoring and compliance approaches to holistically creating and implementing dynamic and overarching security strategies.
According to Matthew Rosenquist, a seasoned cybersecurity leader with over 25 years of IT experience, one of the most prominent changes for a CISO is their level of reporting and communication with top company executives.
“We’re seeing a major increase in [accessibility] CISO that are no longer reporting 6 rungs down the latter. Now they directly speak with the CEO, and the board so the visibility and expectations have never been higher.” Further complicating the situation “the expectations of the customers are growing in kind. [They won’t settle for] You lost my data or you exposed this asset.” Only through ingraining the CISO in the organizational hierarchy can security becomes paramount and buy-in be optimized from the top down.
Billy Spears, CISO of Teradata emphasizes how the impact of significant cyber attacks and their fallout can dramatically impact the expectations of a CISO. Spears, in reflecting the shifting expectations of CISO’s in the aftermath of attacks on marquee vendors, such as solar winds or the colonial pipeline expressed, CISO’s are now expected to communicate and visualize to invested parties every level of risk and force them ‘ to take things more seriously because there action and economic consequences behind its collective weight.”
Gaining broader consensus
Often c-suites will tout the objective of a CISO in wide brush strokes. The mantra goes something like this: The CISO must holistically develop a risk-averse security culture within their organization. The CISO must be the master of IT compliance. The CISO must protect us from unknown cyber threats.
What ties all these elements together is the ability to communicate effectively, establish strong interpersonal relationships and build respect among employees at all rungs of the company In effect by listening to the needs of the organization and its employees the CISO is able to emphasize actual risks vs red herrings.
What does this mean in practice?
From ‘minimizing esoteric jargon, tailoring conversations for the audience, [to] explaining cybersecurity strategy in clear terms, putting threats into a business context, and effectively leveraging different communication channels’ CISO’s must ensure they are being heard.
Lessons learned and critical steps moving forward
“Security is involved in privacy, legal, productivity, breaches, threats, software — CISOs have their hands in everything.” But that’s not enough. Today’s CISO must go beyond perceived barriers and transform cybersecurity from buzzwords to relevant and accessible strategies.
Increasingly, CISO’s are forced to think long-term, implement security strategies in the present, and not get lost in the minutia in between. Effortlessly melding technical awareness, risk management, and endless technologies to get an edge on hackers, the CISO of today and tomorrow will be one part technocrat, one part innovator, and another part communication master and all the while thinking about the bottom line.
More so than ever before, CISO’s roles are shifting, evolving to their organizations’ security needs and shortcomings. If filled correctly and effectively to meet the problems at hand, a CISO today can drive a company towards greater compliance, and establish a holistic cybersecurity culture from the ground up.
Bringing together his diverse professional cyber know-how, intellectual fascination with history and culture, and eclectic academic background focusing on diplomacy and the cultures of Central Asia, Yehudah Sunshine keenly blends his deep understanding of the global tech ecosystem with a nuanced worldview of the underlying socio-economic and political forces which drive policy and impact innovation in the cyber sectors. Yehudah's current work focuses on how to create and enhance marketing strategies and cyber driven thought leadership for odix (www.odi-x.com), an Israel-based cybersecurity start-up. Sunshine has written and researched extensively within cybersecurity, the service sectors, international criminal accountability, Israel's economy, Israeli diplomatic inroads, Israeli innovation and technology, and Chinese economic policy.