What is now required is political acumen, managerial experience and personal gravitas, more than raw technology skills. In spite of being widely used, the role of the Chief Information Security Officer (CISO) has only had a few decades of existence and is still evolving.
Research from the Security Transformation Research Foundation — based on the semantic analysis of the content of 17 annual global security reports from EY between 2002 and 2019 — points towards the role having already gone through 2 clear phases in its evolution, as it heads into its third decade of existence.
The first decade of the century was essentially a “Compliance Decade”: Security was seen as a balancing act between compliance requirements, risk appetite and costs; the CISO was mostly a risk manager.
The last decade has been effectively a “Realisation Decade”, during which cyber security started to be seen as a necessary barrier against real threats, in a context of increasing cyber-attacks and data breaches (in number and scale), massive technological change and the aftermath of a historical financial crisis.
As a matter of fact, the last decade has been particularly complex for CISOs.
Not only the non-stop avalanche of cyber-attacks has prevented them from getting out of firefighting mode, but their role has also been challenged — and in many cases marginalised — at a number of levels:
The emergence of cloud technologies, coupled with, and energizing the digital transformation urgency in many industries, has changed the roles of the CIO and the CISO; in many firms, the CIO now has to share powers with Chief Data or Digital Officers and, at the same time, deal with an increasing number of powerful service providers, enduring legacy technology and technical debt, and increased pressure from business units looking to gain a digital competitive advantage; something the COVID crisis has accentuated even further.
Over time, the historical role of the CISO, if it remains attached to the historical role of the CIO, runs the risk of being marginalized with it, becoming the guardian of an increasingly empty shell surrounded by an increasingly complex supply chain.
At the same time, large scale cyber-attacks have put cyber risk firmly on the Board’s agenda, but “Information Security” — the traditional perimeter of the CISO — is often seen as only one aspect of a much bigger problem: The Board wants to see a fuller picture, encompassing the whole capability of the enterprise to sustain a cyber-attack and recover from it. In larger firms, this “resilience” concept tends to lead to the emergence of broader enterprise security functions which push down the historical role of the CISO.
This is deepened by the importance privacy regulations are also playing in shaping up the board agenda around security — in Europe with the GDPR, and gradually, through equivalent legislations throughout the U.S. and the world.
GDPR, in particular, has been a big topic in many firms over the last few of years. Tens of millions have been spent towards “compliance” in larger firms, and a good proportion of that went towards security-related measures, but many CISOs have failed to capitalise politically on the topic which has been treated — broadly — as a legal issue. The “Data Protection Officer” roles and other “Chief Privacy Officer” functions which are emerging in relation with the implementation of the GDPR and other legislations, are likely to create an additional corporate layer “breathing down the neck” of many CISOs and altering their historical ways of working.
As the role heads into its third decade with a firmer transformative mandate to bring the cyber-attacks epidemic under control, business leaders must take a different look at it.
It is time to stop searching for non-existent profiles, expecting the CISO to be credible one day in front of the Board, the next in front of hackers, the third in front of developers, and all the way across the depth and breadth of the enterprise and its supply chain.
Those profiles don’t exist anymore, given the transversal complexity cyber security has developed over the past two decades. The role of the CISO has to be one of a leader, structuring, organising, delegating and orchestrating work across their team and across the firm — and across the multiple third-parties involved in delivering or supporting the business.
In essence, knowing what to do is reasonably well established and cyber security good practice — at large — still protects from most threats, and still ensures a degree of compliance with most regulations.
But by focusing excessively on purely technical approaches to cyber security challenges, large organizations have failed to protect themselves effectively and efficiently, in spite of massive investments in that space over the last two decades.
This is essentially due to the cross-silo complexity of the problem which would require a mid to long-term focus to be properly addressed, and comes in conflict with endemic corporate short-termism, leading to execution failure.
Increasingly, in the face of non-stop cyber-attacks in large firms, the key priority around cyber security is now to get things done.
The role of the CISO is entering its third decade of existence and it is likely to be an “Execution Decade” with cyber security becoming an imperative, as the “when-not-if” paradigm around cyber attacks takes root in the boardroom.
But large organizations have to face their own inherent complexities and accept that the time has come to look differently at the role of the CISO in that context: This is no longer about throwing money at alleged tech solutions.
The role of the CISO is becoming a true leadership role and what is required to get things moving is political acumen, managerial experience and personal gravitas, over raw technology skills.