- Articles
- The evolving role of the CISO
Table of Contents
In 2017, 27 billion devices were connected using the Internet of Things (IoT). The International Data Corporation forecasts there will be 41.6 billion connected IoT devices generating 79.4 zettabytes (ZB) of data by 2025. This explosion of connectivity has provided endless new opportunities for companies to grow, impacting everything from new product development to customer acquisition, even in traditionally non-digitized industries. However, with these opportunities comes a high increase in cyberthreats. As the amount of data being generated by a company continues to grow, they become prime targets for information theft.
What is a Chief Information Security Officer?
The Chief Information Security Officer (CISO) role dates back to 1994 when banking giant Citigroup (then Citi Corp. Inc.) suffered a series of cyberattacks, and created the world’s first formal cybersecurity executive as a result. The CISO has since been the executive responsible for protecting an organizations’ proprietary data and intellectual property and managing a company’s overall security. While in the past the role has been rather narrowly defined along those lines, as the connected devices and the sheer amount of data has increased, the role of CISO has dramatically evolved to taking a stronger and more strategic leadership role.
The role of the CISO now involves far more than just ensuring regulatory compliance and adherence to ISO standards (although ensuring compliance with applicable regulations and laws is still a big part of the role). They are responsible for a company’s security strategy and risk management, assessing the company’s security vulnerabilities, staying abreast of changing technologies, and allocating resources to facilitate the strategy. A 2019 study by 451 Research and Kaspersky reported 70% of CISO respondents as saying that an emphasis on risk management is a top change in the CISO’s role, and risk management expertise is among the top three skills that CISOs cite as important.
CISO responsibilities
The CISO is responsible for ensuring the company’s data is protected from any number of threats, including cyberattacks, data breaches, ransomware, and phishing scams—ultimately keeping the business digitally secure, but without such stringent practices that makes conducting business almost impossible. This can often cause friction between other areas of the business. While in most cases the CISO works in tandem with or reports to, the Chief Information Officer (CIO) to achieve the security goals, the CISO’s instincts are to lock down systems and make them harder to access, but the CIO and their team are tasked with making information and applications readily available for those who need them within the organization.
Today’s successful CISOs have a good technical foundation but often have business backgrounds, an MBA, and the skills needed to communicate with other C-level executives and the board. The actual mix of technical and nontechnical skills that a CISO requires will differ by type of organization, size, industry, etc. however, you can expect the job description to encompass any of the following:
- Security operations: Key to this role is the real-time analysis of immediate threats and solving issues when issues occur. If there is a data breach, the CISO will undoubtedly be involved in the incident response, including determining what went wrong in a breach, dealing with those responsible if they’re internal, and planning to avoid repeats.
- Risk management and cyber intelligence: Keeping up to date with developing security threats, and developing a strategy to tackle the potential security problems that might arise.
- Advisor to the board: Keeping the board up to date on the security challenges that might arise from big business moves.
- Data loss and fraud prevention: Ensuring employees are trained and educated in the company’s data policies, such as the repercussions of the misuse or theft of company data.
- Security architecture: Planning, purchasing, and rolling out security hardware and software, and making sure IT and network infrastructure has been designed with best security practices top of mind.
- Identity and access management: Ensuring that only authorized people have access to restricted data and systems.
- Program management: Implementing programs or projects that mitigate security risks.
The breadth of information security and its ever-changing landscape and threats means CISO’s must be hyper-aware of developments in the cybercrime world, learning the sophisticated tactics that cybercriminals are using to attack companies. Thanks to the explosion of the digital supply chain, there are more potential network entry points for cybercriminals than ever before, each posing an added challenge for the CISO. As soon as one door closes, cybercriminals find another one, often demanding substantial sums of money in return for keeping the data they get access to private. In fact, some organizations face hundreds of intrusion attempts every day. According to data from Juniper Research, the average cost of a data breach in 2020 will exceed $150 million. Cybercrime will more than triple the number of CISO job openings over the next five years, with Cybersecurity Ventures predicting there will be 3.5 million unfilled cybersecurity jobs globally by 2021, up from one million positions in 2014. Learn how to avoid the high cost of cyber attacks in this blog.
How important is the role of CISO?
A survey from the IDC sponsored by CapGemini of over 1,000 large enterprise executives across the globe found that both information security, and the people managing it, are regarded as more important than they were three years ago. 69% of non-CISO respondents said information security has increased in importance while 77% reported that the personal influence of the CISO had also improved. 90% of executives surveyed said the CISO is involved in significant business innovation and change decisions, while over 60% said they attend board and executive management meetings.
Furthermore, in the previously mentioned 451 Research and Kaspersky study, CISO respondents were asked whom they reported to which serves as a good indication of how important they are viewed within the organization. 41% – the largest segment – reported directly to the CEO and 23% reported to the board of directors. Even those who did not report directly to the board were sought out for their expertise. It would appear, therefore, that CISOs are seen as critically important within an organization.
Yet, according to a KPMG and Harvey Nash report, only 29% of CISOs believe they’re very well-positioned to deal with security risks.
Despite cybersecurity becoming a far more visible aspect of the modern business, CISOs are often struggling for funding. In fact, in the 451 Research and Kaspersky study, when asked what puts the highest pressure on cybersecurity management, competition for budget (46%) is ranked almost as high as the growth and severity of attacks (49%). High-profile breaches and privacy concerns are not going away, and if companies wish to remain in business, their cybersecurity strategy must be viewed as fundamental to the ongoing success of the organization.
The key to being able to respond quickly and proactively to the automated attacks is through intelligence-driven cybersecurity. Undoubtedly CISOs have their work cut out for them, as they try to stay one step ahead of the criminals. It’s no surprise, therefore, that 91% of CISOs say they suffer from moderate or high stress. In the same survey from Nominet, 27.5% of CISOs said stress affects their ability to do their jobs. Worse still, almost half (48%) of CISOs say work stress had a detrimental impact on their mental health last year, almost twice as high as 2018 (27%).
While larger organizations are better prepared for cyberattacks than small-mid sized businesses—which may not have adequate information security measures and resources in place to protect themselves—it is still somewhat of an uphill battle for the CISO to stay that all-important step ahead of the cybercriminals. As the role of corporate security becomes more and more critical, CISOs—especially those at larger organizations—often oversee a team of security professionals that work for the company. Smaller firms that are taking cybersecurity seriously may outsource the job to a company that provides managed services. Some companies do a combination of the two.
The role of the CISO is clearly evolving in response to the changing business world. In recent years CISOs have made significant progress, expanding their influence and improving the reputation of information security, firmly establishing CISOs as a strategic, business-critical role that is fundamental to competitive advantage. Undeniably, one of the biggest strengths of today’s CISO is to have a finger firmly on the pulse of changes in the cybercrime world, and the ability to adapt quickly to new threats before the criminals are able to do serious damage.