Today’s CISO: How The Role Has Evolved

Uploaded on 2023-06-29 in NEWS-Cybersecurity News, FREE TO VIEW

The modern-day Chief Information Security Officer (CISO) has developed with the ever-changing cyber threat landscape. The siloed CISO should now be a thing of the past, as they are fundamental to organisational business decisions.

CISOs are integral to a business and are now entitled to a seat at the boardroom table. While business demands are intensifying, the role of the CISO is becoming a transformational one, creating a value-centric security architecture to mitigate both cyber and business risk. 

Protecting an organisation from cyber threats no longer falls on the CISO’s shoulders alone. It’s a collective responsibility spanning across the entire organisation, starting at the top with corporate leadership and extending down to every level of the enterprise. Gartner forecasts indicate that by 2026, more than 50% of C-level executives will have performance requirements related to cyber risk within their employment contracts. Expected new SEC regulations will also mandate publicly traded organisations to disclose their cybersecurity governance efforts, particularly the Board’s oversight of cyber risk within its larger business strategy. Now more than ever, positioning CISOs to serve in the capacity of a transformational leader is critical to enterprise health. 

Why Cybersecurity Is Top Of The Priority List

The transformational CISO is the bridge between cybersecurity and the C-Suite. With that said, they must be able to effectively articulate the link between cyber incidents and business disruption in a way that resonates with various stakeholders of the organisation. This requires a holistic understanding of cyber risk’s three fundamental tenets: threats, vulnerabilities, and impact.  

Historically, CISOs focused primarily on the tactical aspects of cyber risk without consideration of the bigger picture. Deploying security tools to identify threats and address vulnerabilities was our bread and butter, but assessing the bigger picture was more of a foreign concept. However, the proliferation of cyberattacks on a global scale has added a myriad of new variables to the equation. From nation state adversaries driven by geopolitical tension to digital extortionists driven by organised crime, the cyber threat landscape is now malicious and highly sophisticated - and it’s evolving as we speak.

In turn, the modern CISO must operate beyond day-to-day operations with a targeted focus on the bigger picture. 

Deciphering the impact of cyber risk requires visibility into the organisation’s “crown jewels.” These are the processes and assets that create the biggest market advantage, revenue growth, and sustained success. Obtaining that level of understanding is only possible through calculated communication with corporate leadership. Instead of merely asking the C-Suite what cyber threats keep them up at night, a more effective line of questioning could be, “What product or service offerings does our market success depend on right now? Which key differentiators are critical to rising above industry competitors?” 

Then, with deeper insight into the organisation’s highest-value assets, CISOs can construct a security architecture designed to safeguard critical processes and minimize business disruption.

Instilling A Security Culture In The Team

The transformational CISO is responsible for fostering a company-wide culture of cyber resilience where all employees play a role in safeguarding the organisation. However, generating that collective cannot be accomplished through static engagement and one-size-fits-all training that lack contextual awareness. It compares quite nicely to the challenges of parenting a teenager. Just because we know what’s best for our kids doesn’t mean they will always do what we tell them. But if we can effectively illustrate the value behind our advice - and that we’re offering it with their best interest in mind - there’s a far better chance it will translate to positive action.  

The same goes for CISOs tasked with building a culture of cyber resilience. We can’t expect standard sets of policies or routine training to automatically translate into 100% staff-wide security compliance. For internal engagement to resonate, it must be scaled to the individual end user and designed with personalisation in mind – offering valid reasoning that a non-technical workforce can understand. When given a paved road of proven protocols to follow, employees will be more inclined to follow protocols and keep the organisation safe. Compounded at a macro level, it creates a dynamic where security awareness is ingrained into day-to-day workflows as part of an overarching company culture. 

How To Succeed As A CISO

As a CISO myself, I’ll be the first to acknowledge that engaging the C-Suite on cybersecurity matters isn’t always smooth sailing. I once met with a CFO to secure her buy-in for a particular security business case we wanted to adopt. Just a few minutes in, she stopped me and said, “Frank, we get it. We know our cybersecurity measures need to be top of mind.” For a fleeting moment, I began to feel the meeting was headed in the right direction.
Except then came the dreaded “B” word. She continued, “BUT, what we really want to know is ‘Are we spending too much? Are we spending too little? How are we doing compared to our industry peers?’” 

If I wasn’t prepared to address her concerns, the whole business case we were proposing could’ve been derailed -  resulting in unaddressed issues that could our business at risk. These are the kinds of questions that C-level executives are asking their security leaders every day. To effectively answer them, keep these five areas of focus in mind. 

Choose the Right Framework:    Select an industry recognised framework that not only aligns with your organisation’s risk profile, but also demystifies cybersecurity measures to the C-Suite and Board. The NIST Cybersecurity Framework, for example, helps simplify the complexities of security in a way that can be more easily consumed by business leaders.

Measure Your Maturity:    It’s not enough to simply adopt and leverage a security framework. As you implement its various controls, make sure to baseline and measure the maturity of your top security capabilities. That way, progress can be monitored over time. 

Benchmark Against Industry Peers:    An organisation’s level of cyber spend should be relative to its risk profile. But as your maturity improves, identify how the organisation’s security architecture is performing in relation to the sector at large – that can help determine if you’re spending too much or too little. 

Set an Optimal Target:    Organisations on the high end of the maturity spectrum may decide to compare themselves to a more mature industry as a stretch goal. But even if you stay within your industry for comparison purposes, set a maturity goal that is always based on a deep understanding of business risk.

Continuously Measure Effectiveness:    Even with a well-defined framework, maturity model, benchmark, and goal in mind, one key question remains: are you utilizing your limited resources effectively? As organisations deploy, maintain, and operate their security programme, continuous measurements and assessments should be non-negotiable.  

Frank Kim is a SANS Fellow and Instructor and the CISO-in-Residence at YL Ventures.

You Might Also Read: 

What Should CISO’s Look Out For In 2023?:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Browser-Based Social Engineering Trends
How To Back Up GitLab To Prevent Data Loss  »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Cyber Technology Institute - De Montfort University

Cyber Technology Institute - De Montfort University

The Cyber Technology Institute provides training and high quality research and consultancy services in the fields of cyber security, software engineering and digital forensics.

Leibniz-Rechenzentrum (LRZ)

Leibniz-Rechenzentrum (LRZ)

The LRZ supports ground-breaking research and teaching in a wide range of scientific disciplines including information security and data protection.

Infosistem

Infosistem

Infosistem is a Croatian ICT company with extensive expertise and experience in enterprise and SMB ICT projects and solutions.

Havelsan

Havelsan

HAVELSAN is a leading technology company in Turkey developing indigenous systems for domestic and foreign military, public and private sector clients.

infySEC

infySEC

InfySEC is an information security services organization offering Security Technology services, Security Consulting, Security Training, Research & Development.

Swiss Cyber Think Tank (SCTT)

Swiss Cyber Think Tank (SCTT)

The Swiss Cyber Think Tank is a business network for Cyber Risk & Insurability, providing an industry-wide networking platform for insurers, technology and security firms.

PhishX

PhishX

PhishX is a SaaS platform for security awareness that simulates Cyberthreats, train people, while measure and analysis results, reducing Cybersecurity risks for People and Companies.

Kasm Technologies

Kasm Technologies

Kasm Browser Isolation - Protect your organization from malware, ransomware and phishing by using zero-trust containerized browsers.

Agile Underwriting

Agile Underwriting

Agile, an underwriting agency, insurtech and Coverholder at Lloyd's, provides niche insurance products across Aviation, Marine & Cargo, Cyber and Financial Lines.

Ruptura InfoSecurity

Ruptura InfoSecurity

Ruptura InfoSecurity provide CREST Accredited Penetration Testing & Offensive Security Services. We secure your critical assets through targeted and research driven penetration testing.

Redefine

Redefine

Redefine are Crypto-Native, Cyber Experts, and Blockchain Believers. We are here to make Web3 anti-fragile, safe and accessible to all.

Northern Computer

Northern Computer

Northern Computer provides comprehensive IT solutions that streamline your operations and help you achieve your business goals.

Hubble

Hubble

Hubble grew from the idea that legacy solutions were failing to provide organizations with the asset visibility they needed to effectively secure and operate their businesses.

CQR

CQR

CQR are at the forefront of innovative cyber solutions, dedicated to securing and fortifying Operational technology (OT) infrastructure.

Scamnetic

Scamnetic

Scamnetic offer an everyday application that helps consumers detect every type of scam in real time – removing human error from the equation. 

National Protective Security Authority (NPSA) - UK

National Protective Security Authority (NPSA) - UK

NPSA is part of MI5 and is the National Technical Authority for physical and personnel protective security. By making the UK more resilient to national security threats, we help to make the UK safe.