Not a decade ago, cybersecurity was an emergent concept that few enterprise leaders were well-versed in or even concerned with.
Now they can’t go a day without discussing the dangers of cybercrime.
This has made the role of the CISO ever more critical — but at the same time not as well-defined. Much more is expected of the modern CISO than keeping up with security vulnerabilities and threats and ensuring patches are made and bugs fixed.
“The business has changed, the role of what we want the CISO to do has fundamentally changed,” Frank Dickson, group VP for IDC’s security and trust research practice, told SDxCentral. “CISOs have been forced to excel at skills they probably didn’t anticipate, the job is now different than we expected.”
From customer support to overall leadershipA recent IDC survey sponsored by Check Point Software explored this very topic of the evolving role of today’s security leaders. The report reveals that, in addition to cybersecurity expertise, today’s “digital-first CISO” must have interactions across the business pipeline, including these four areas:
- Compliance: To help maintain and report compliance.
- Risk management: To help understand risk posture.
- Line of business or other functional areas: To inform about and improve security and support strategy.
- Overall leadership: To develop cybersecurity function across the entire organization (not just IT).
“There’s a big disconnect in organizations between what we think the CISO does and what they actually do, what we think is important for a CISO and what is actually important for a CISO,” said Dickson. “The top three things a digital-first CISO does nowadays are really not security; it’s all people and communication.”
While other leaders tend to think of the CISO as a “tactical practitioner,” about half of what they do revolves around marketing and customer support. “One of the primary roles of the CISO is meeting new prospective customers,” said Dickson.
Customers want to know their plans and roadmaps and are seeking help with compliance.
“That’s a different skill set than being able to reverse engineer malware,” he pointed out.
Communicate, communicate, communicateIn addition to the “vast amount of skillsets” that they must manage in an expedient fashion, today’s security leaders must be able to communicate across the business, Cindi Carter, Check Point’s global CISO, told SDxCentral.
“They have to be able to cross-communicate within the business — up, down, right left,” she said.
But it’s important they don’t use too many technological terms with the board, other leaders and team members outside of security “because their eyes are going to glaze over.” Security leaders must explain business and cyber risk in a digestible way — if the C-suite wants to do ‘X,’ they must also do ‘Y’ to ensure the organization’s safety from a cybersecurity standpoint (without stifling innovation).
“You have to be able to speak the business,” said Pete Nicoletti, Check Point’s CISO for the Americas. “It’s no longer staying on top of just the latest computer security issues, but looking at your business trends, what vertical you’re in, your competitors.”
Relationship-building is critical, as is establishing trust across an organization, Carter noted. “Negotiating and influencing are also some very key skills that security leaders need to have,” she said.
Ultimately, organizations are expecting security leaders to be experts (sometimes in areas where they might not otherwise be as versed in, such as AI). This requires continuous self-education and research to be able to intelligently respond to questions about risk.
“All of our roles are dynamic,” said Carter. “The reason they’re dynamic is because of the extraordinarily fast technological change. You have to be comfortable with change, you have to be continuously hungry to learn something new and evolve with that.”
New reporting, butting heads with CIOsReporting structures are also evolving: CISOs are not always reporting to CIOs — in fact, only about 25% do so. Instead, they are reporting to the COO, CFO and CEO, and also have direct reporting to the board. The latter is particularly important with the new Securities and Exchange Commission (SEC) rules requiring more board involvement.
“There’s this need to communicate to the C-suite and put this idea of security and risk into a business risk context,” said Dickson. With tech spending moving outside of IT, CISOs “actively need to work with and collaborate and mentor and teach the line of business.”
In addition to widening responsibilities, there’s a significant disconnect between CISOs and CIOs, the IDC report found. Notably, CIOs see CISOs as more tactical — but they’re really more focused on strategic architecture. CISOs’ top two concerns, in fact, are inflation driving up vendor pricing and the impact the recession will have on revenue. CIOs, meanwhile, are most concerned with staffing shortages.
The top challenge cited by CIOs in working with CISOs is that security activities are frequently causing disruptions and impacting IT operations — and CISOs feel exactly the opposite, saying that IT activities are frequently causing disruptions and impacting security operations.
“The top things that frustrate them are exactly the same,” said Dickson. “They just point at each other.”
An evolving role amidst rapid digital transformationDigital transformation is one big factor requiring CISOs to be agile, Dickson said. The internet and cloud computing have changed the way the world does business, but they have also given rise to cybercrime.
Ten years ago, organizations were asking themselves whether they even needed a CISO, he noted. But then in 2013 came a “watershed moment” when retail giant Target experienced a kill chain breach.
Carter agreed that “we didn’t even know what cybercrime was in the 90s when the internet was just getting started.”
As the pace of business sped up, organizations began to hear more and more about such attacks, as well as increasing threats and vulnerabilities.
All this was exacerbated to an unprecedented degree when COVID-19 hit in 2020, Dickson noted. In some cases overnight, organizations had to go remote, so the main focus was just trying to ensure people were connected to keep things running. Cybersecurity was an afterthought.
“We blinked and things were totally different,” said Dickson.
Still not considered part of the C-suite?But CISOs still struggle to be heard because security has largely been considered a separate part of the business.
“Often CISOs are not considered along with the rest of the C-suite,” said Carter. In a way it’s understandable, she noted, “because the chief information security role hasn’t been as prominent in organizations really until the last 15 years.”
On the other hand, other C-level execs such as CFOs, CTOs and CIOs have been around for decades or even hundreds of years.
“From a board-level position, security does need to be elevated,” said Carter. “We have to start thinking about cybersecurity as a business decision.”