Today’s CISO: How The Role Has Evolved

Uploaded on 2023-06-29 in NEWS-Cybersecurity News, FREE TO VIEW

The modern-day Chief Information Security Officer (CISO) has developed with the ever-changing cyber threat landscape. The siloed CISO should now be a thing of the past, as they are fundamental to organisational business decisions.

CISOs are integral to a business and are now entitled to a seat at the boardroom table. While business demands are intensifying, the role of the CISO is becoming a transformational one, creating a value-centric security architecture to mitigate both cyber and business risk. 

Protecting an organisation from cyber threats no longer falls on the CISO’s shoulders alone. It’s a collective responsibility spanning across the entire organisation, starting at the top with corporate leadership and extending down to every level of the enterprise. Gartner forecasts indicate that by 2026, more than 50% of C-level executives will have performance requirements related to cyber risk within their employment contracts. Expected new SEC regulations will also mandate publicly traded organisations to disclose their cybersecurity governance efforts, particularly the Board’s oversight of cyber risk within its larger business strategy. Now more than ever, positioning CISOs to serve in the capacity of a transformational leader is critical to enterprise health. 

Why Cybersecurity Is Top Of The Priority List

The transformational CISO is the bridge between cybersecurity and the C-Suite. With that said, they must be able to effectively articulate the link between cyber incidents and business disruption in a way that resonates with various stakeholders of the organisation. This requires a holistic understanding of cyber risk’s three fundamental tenets: threats, vulnerabilities, and impact.  

Historically, CISOs focused primarily on the tactical aspects of cyber risk without consideration of the bigger picture. Deploying security tools to identify threats and address vulnerabilities was our bread and butter, but assessing the bigger picture was more of a foreign concept. However, the proliferation of cyberattacks on a global scale has added a myriad of new variables to the equation. From nation state adversaries driven by geopolitical tension to digital extortionists driven by organised crime, the cyber threat landscape is now malicious and highly sophisticated - and it’s evolving as we speak.

In turn, the modern CISO must operate beyond day-to-day operations with a targeted focus on the bigger picture. 

Deciphering the impact of cyber risk requires visibility into the organisation’s “crown jewels.” These are the processes and assets that create the biggest market advantage, revenue growth, and sustained success. Obtaining that level of understanding is only possible through calculated communication with corporate leadership. Instead of merely asking the C-Suite what cyber threats keep them up at night, a more effective line of questioning could be, “What product or service offerings does our market success depend on right now? Which key differentiators are critical to rising above industry competitors?” 

Then, with deeper insight into the organisation’s highest-value assets, CISOs can construct a security architecture designed to safeguard critical processes and minimize business disruption.

Instilling A Security Culture In The Team

The transformational CISO is responsible for fostering a company-wide culture of cyber resilience where all employees play a role in safeguarding the organisation. However, generating that collective cannot be accomplished through static engagement and one-size-fits-all training that lack contextual awareness. It compares quite nicely to the challenges of parenting a teenager. Just because we know what’s best for our kids doesn’t mean they will always do what we tell them. But if we can effectively illustrate the value behind our advice - and that we’re offering it with their best interest in mind - there’s a far better chance it will translate to positive action.  

The same goes for CISOs tasked with building a culture of cyber resilience. We can’t expect standard sets of policies or routine training to automatically translate into 100% staff-wide security compliance. For internal engagement to resonate, it must be scaled to the individual end user and designed with personalisation in mind – offering valid reasoning that a non-technical workforce can understand. When given a paved road of proven protocols to follow, employees will be more inclined to follow protocols and keep the organisation safe. Compounded at a macro level, it creates a dynamic where security awareness is ingrained into day-to-day workflows as part of an overarching company culture. 

How To Succeed As A CISO

As a CISO myself, I’ll be the first to acknowledge that engaging the C-Suite on cybersecurity matters isn’t always smooth sailing. I once met with a CFO to secure her buy-in for a particular security business case we wanted to adopt. Just a few minutes in, she stopped me and said, “Frank, we get it. We know our cybersecurity measures need to be top of mind.” For a fleeting moment, I began to feel the meeting was headed in the right direction.
Except then came the dreaded “B” word. She continued, “BUT, what we really want to know is ‘Are we spending too much? Are we spending too little? How are we doing compared to our industry peers?’” 

If I wasn’t prepared to address her concerns, the whole business case we were proposing could’ve been derailed -  resulting in unaddressed issues that could our business at risk. These are the kinds of questions that C-level executives are asking their security leaders every day. To effectively answer them, keep these five areas of focus in mind. 

Choose the Right Framework:    Select an industry recognised framework that not only aligns with your organisation’s risk profile, but also demystifies cybersecurity measures to the C-Suite and Board. The NIST Cybersecurity Framework, for example, helps simplify the complexities of security in a way that can be more easily consumed by business leaders.

Measure Your Maturity:    It’s not enough to simply adopt and leverage a security framework. As you implement its various controls, make sure to baseline and measure the maturity of your top security capabilities. That way, progress can be monitored over time. 

Benchmark Against Industry Peers:    An organisation’s level of cyber spend should be relative to its risk profile. But as your maturity improves, identify how the organisation’s security architecture is performing in relation to the sector at large – that can help determine if you’re spending too much or too little. 

Set an Optimal Target:    Organisations on the high end of the maturity spectrum may decide to compare themselves to a more mature industry as a stretch goal. But even if you stay within your industry for comparison purposes, set a maturity goal that is always based on a deep understanding of business risk.

Continuously Measure Effectiveness:    Even with a well-defined framework, maturity model, benchmark, and goal in mind, one key question remains: are you utilizing your limited resources effectively? As organisations deploy, maintain, and operate their security programme, continuous measurements and assessments should be non-negotiable.  

Frank Kim is a SANS Fellow and Instructor and the CISO-in-Residence at YL Ventures.

You Might Also Read: 

What Should CISO’s Look Out For In 2023?:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Browser-Based Social Engineering Trends
How To Back Up GitLab To Prevent Data Loss  »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

I-Tracing

I-Tracing

I-TRACING are experts in IT security, specialized in legal compliance of information systems, security of information systems, and the collection of digital evidence and traces.

CARICERT

CARICERT

CARICERT is the National Cyber Emergency Response Team of Curacao in the Caribbean.

Excelsecu Data Technology

Excelsecu Data Technology

Excelsecu is a global solution provider of online identity authentication, widely applied in banks, government bodies and enterprises.

Secon Cyber Security

Secon Cyber Security

Secon Cyber Security is an Advanced Managed Security Services Provider with long standing experience of providing cyber security solutions to customers ranging from small to large enterprises.

SCADASUDO

SCADASUDO

SCADASUDO is a cyber solution architecture and design office, established by leading experts in the field of OT (Industrial control) and IT (information Technology).

Hacken

Hacken

Hacken provide a range of cybersecurity services including security assessments, blockchain security audits, and secure software development.

Improsec

Improsec

Improsec is a fully independent Cyber Security advisory company - we provide knowledge, experience and both strategic and deep technical expertise to our clients.

ProSearch Partners

ProSearch Partners

ProSearch Partners are national talent acquisition specialists exclusively focussing on Technology and Digital talent including Cybersecurity, Data Analytics and Execs.

Adyta

Adyta

Adyta specializes in cybersecurity solutions adapted to the needs of sovereign institutions, business groups and other organizations that handle information and sensitive or classified data.

Glocomms

Glocomms

Glocomms is a leading specialist recruitment agency for the tech sector, providing permanent, contract, and multi-hire recruitment from our global hubs in San Francisco, New York, London and Berlin.

Barikat Cyber Security

Barikat Cyber Security

Barikat is a provider of information security solution and services including security analysis and compliance, security testing, managed security services, incident response and training.

GetHacked.ca

GetHacked.ca

GetHackded.ca is a certified company offering penetration testing and specialized cybersecurity services.

PolySwarm

PolySwarm

PolySwarm is a crowdsourced threat intelligence marketplace that provides a more effective way to detect, analyze and respond to the latest threats.

RSK Cyber Security

RSK Cyber Security

RSK Cyber Security are a leading cyber security services company that uses services, consulting, and product knowledge to lower security risk across the board.

TIM Enterprise

TIM Enterprise

TIM Enterprise offers innovative, sustainable and secure 360-degree digital solutions to companies and public administrations.

COGITANDA Dataprotect

COGITANDA Dataprotect

COGITANDA are a group of companies focused on dealing with cyber risks, managing them and insuring them.

Texaport

Texaport

Texaport's vision is to be the trusted partner of choice for organisations seeking comprehensive IT management and cutting-edge security solutions.