Today’s CISO: How The Role Has Evolved

Uploaded on 2023-06-29 in NEWS-Cybersecurity News, FREE TO VIEW

The modern-day Chief Information Security Officer (CISO) has developed with the ever-changing cyber threat landscape. The siloed CISO should now be a thing of the past, as they are fundamental to organisational business decisions.

CISOs are integral to a business and are now entitled to a seat at the boardroom table. While business demands are intensifying, the role of the CISO is becoming a transformational one, creating a value-centric security architecture to mitigate both cyber and business risk. 

Protecting an organisation from cyber threats no longer falls on the CISO’s shoulders alone. It’s a collective responsibility spanning across the entire organisation, starting at the top with corporate leadership and extending down to every level of the enterprise. Gartner forecasts indicate that by 2026, more than 50% of C-level executives will have performance requirements related to cyber risk within their employment contracts. Expected new SEC regulations will also mandate publicly traded organisations to disclose their cybersecurity governance efforts, particularly the Board’s oversight of cyber risk within its larger business strategy. Now more than ever, positioning CISOs to serve in the capacity of a transformational leader is critical to enterprise health. 

Why Cybersecurity Is Top Of The Priority List

The transformational CISO is the bridge between cybersecurity and the C-Suite. With that said, they must be able to effectively articulate the link between cyber incidents and business disruption in a way that resonates with various stakeholders of the organisation. This requires a holistic understanding of cyber risk’s three fundamental tenets: threats, vulnerabilities, and impact.  

Historically, CISOs focused primarily on the tactical aspects of cyber risk without consideration of the bigger picture. Deploying security tools to identify threats and address vulnerabilities was our bread and butter, but assessing the bigger picture was more of a foreign concept. However, the proliferation of cyberattacks on a global scale has added a myriad of new variables to the equation. From nation state adversaries driven by geopolitical tension to digital extortionists driven by organised crime, the cyber threat landscape is now malicious and highly sophisticated - and it’s evolving as we speak.

In turn, the modern CISO must operate beyond day-to-day operations with a targeted focus on the bigger picture. 

Deciphering the impact of cyber risk requires visibility into the organisation’s “crown jewels.” These are the processes and assets that create the biggest market advantage, revenue growth, and sustained success. Obtaining that level of understanding is only possible through calculated communication with corporate leadership. Instead of merely asking the C-Suite what cyber threats keep them up at night, a more effective line of questioning could be, “What product or service offerings does our market success depend on right now? Which key differentiators are critical to rising above industry competitors?” 

Then, with deeper insight into the organisation’s highest-value assets, CISOs can construct a security architecture designed to safeguard critical processes and minimize business disruption.

Instilling A Security Culture In The Team

The transformational CISO is responsible for fostering a company-wide culture of cyber resilience where all employees play a role in safeguarding the organisation. However, generating that collective cannot be accomplished through static engagement and one-size-fits-all training that lack contextual awareness. It compares quite nicely to the challenges of parenting a teenager. Just because we know what’s best for our kids doesn’t mean they will always do what we tell them. But if we can effectively illustrate the value behind our advice - and that we’re offering it with their best interest in mind - there’s a far better chance it will translate to positive action.  

The same goes for CISOs tasked with building a culture of cyber resilience. We can’t expect standard sets of policies or routine training to automatically translate into 100% staff-wide security compliance. For internal engagement to resonate, it must be scaled to the individual end user and designed with personalisation in mind – offering valid reasoning that a non-technical workforce can understand. When given a paved road of proven protocols to follow, employees will be more inclined to follow protocols and keep the organisation safe. Compounded at a macro level, it creates a dynamic where security awareness is ingrained into day-to-day workflows as part of an overarching company culture. 

How To Succeed As A CISO

As a CISO myself, I’ll be the first to acknowledge that engaging the C-Suite on cybersecurity matters isn’t always smooth sailing. I once met with a CFO to secure her buy-in for a particular security business case we wanted to adopt. Just a few minutes in, she stopped me and said, “Frank, we get it. We know our cybersecurity measures need to be top of mind.” For a fleeting moment, I began to feel the meeting was headed in the right direction.
Except then came the dreaded “B” word. She continued, “BUT, what we really want to know is ‘Are we spending too much? Are we spending too little? How are we doing compared to our industry peers?’” 

If I wasn’t prepared to address her concerns, the whole business case we were proposing could’ve been derailed -  resulting in unaddressed issues that could our business at risk. These are the kinds of questions that C-level executives are asking their security leaders every day. To effectively answer them, keep these five areas of focus in mind. 

Choose the Right Framework:    Select an industry recognised framework that not only aligns with your organisation’s risk profile, but also demystifies cybersecurity measures to the C-Suite and Board. The NIST Cybersecurity Framework, for example, helps simplify the complexities of security in a way that can be more easily consumed by business leaders.

Measure Your Maturity:    It’s not enough to simply adopt and leverage a security framework. As you implement its various controls, make sure to baseline and measure the maturity of your top security capabilities. That way, progress can be monitored over time. 

Benchmark Against Industry Peers:    An organisation’s level of cyber spend should be relative to its risk profile. But as your maturity improves, identify how the organisation’s security architecture is performing in relation to the sector at large – that can help determine if you’re spending too much or too little. 

Set an Optimal Target:    Organisations on the high end of the maturity spectrum may decide to compare themselves to a more mature industry as a stretch goal. But even if you stay within your industry for comparison purposes, set a maturity goal that is always based on a deep understanding of business risk.

Continuously Measure Effectiveness:    Even with a well-defined framework, maturity model, benchmark, and goal in mind, one key question remains: are you utilizing your limited resources effectively? As organisations deploy, maintain, and operate their security programme, continuous measurements and assessments should be non-negotiable.  

Frank Kim is a SANS Fellow and Instructor and the CISO-in-Residence at YL Ventures.

You Might Also Read: 

What Should CISO’s Look Out For In 2023?:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Browser-Based Social Engineering Trends
How To Back Up GitLab To Prevent Data Loss  »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Information Risk Management (IRM)

Information Risk Management (IRM)

IRM is an international consultancy dedicated to helping organisations solve key business issues. We provide strategic cyber security advice across a wide range of sectors.

General Dynamics Information Technology (GDIT)

General Dynamics Information Technology (GDIT)

General Dynamics IT delivers cyber security services to defend critical information and infrastructure.

MASS

MASS

MASS provides world-class capabilities in electronic warfare operational support, cyber security, information management, support to military operations and law enforcement.

Neupart

Neupart

Neupart provides Information Security Management System, Secure ISMS, allowing organisations to automate IT Governance, Risk and Compliance management.

Shieldfy

Shieldfy

Shieldfy is a cloud-based security shield for your website to protect it from cyber attacks and malwares.

Invensity

Invensity

INVENSITY is an interdisciplinary technology and innovation consulting company. Centres of excellence include Cyber Security and Data Privacy.

Cervello

Cervello

Cervello is a leading provider of comprehensive and proven solutions to protect railways against cyber attacks.

6point6

6point6

6point6 is a technology consultancy with strong expertise in digital transformation, emerging technology and cyber security.

Fiserv

Fiserv

Fiserv offers a wide array of Risk & Compliance solutions to help you prevent losses from fraud and ensure adherence to regulatory and compliance mandates.

Collins Aerospace

Collins Aerospace

Collins Aerospace provides cybersecurity services and systems to protect critical infrastructure facilities and railroad operations.

National Security Services Group (NSSG) - Oman

National Security Services Group (NSSG) - Oman

National Security Services Group (NSSG) is Oman's leading and only proprietary Cybersecurity consultancy firm and Managed Security Services Provider.

Antigen Security

Antigen Security

Antigen Security is a Digital Forensics, Incident Response and Recovery Engineering firm helping businesses and service providers prepare for, respond to, and recover from cyber threats.

Chainguard

Chainguard

Founded by the industry's leading experts on open source software, security and cloud native development, Chainguard are on a mission to make the software supply chain secure by default.

Vector Choice Technologies

Vector Choice Technologies

Vector Choice Technology Solutions has a long standing reputation in cyber security consulting since 2008.

EK3 Technologies

EK3 Technologies

EK3 Technologies mission is to provide comprehensive cybersecurity and IT solutions that allow our clients to focus on sustaining their business.

Myriad360

Myriad360

Myriad360 are a global systems integrator specializing in Data Center Modernization, Cloud, Cybersecurity, and Artificial Intelligence.