COMMENTARY
Companies recognize the importance of cybersecurity and increasingly incorporate it as an asset in their operational strategies. But by mixing security and operations, organizations may be diluting the core mission of the chief information security officer (CISO): to protect the assets of the company from unwanted attacks.
Dating back to the 1990s, the role of CISO was more technical and IT-focused. Security was black and white and departments strived to eliminate anything deemed a risk. Over the past 20 years, however, the job has changed. CISOs face more risks than can be resolved, are expected to balance security with operational capability, and must convince leaders to invest in protection.
Today, CISOs are also expected to defer to business needs while still being accountable for breaches. At networking events, I’m seeing more and more CISOs with business backgrounds focusing less on the cyber aspects of the job and more on supporting business priorities.
This switch can leave companies in a precarious position. Relaxing cybersecurity diligence for the sake of speed not only threatens the security of the company’s data, but also creates unnecessary risk. And it’s not insignificant. According to IBM’s “Cost of a Data Breach Report 2023,” the average cost of a data breach in 2023 was $4.45 million, a 15% increase over three years.
In 2024, we need to rethink the role of the CISO yet again. Today’s CISO must help their organization understand that prioritizing risk reduction is key to the business’s resilience in the face of modern threats.
Today’s CISO: The Resilient Politician
CISOs once were able to sell their importance based on the idea that, in cyber terms, the sky was falling. But as the business and security sides of companies merged, corporate accountability came into play. CISOs’ focus shifted from risk avoidance to risk posture and consideration of what level is acceptable in the pursuit of business goals.
In many cases, business units that generate revenue now have the final say on just what level of risk is acceptable, including cyber-risk. Meanwhile, business leaders, who have become more conversant in cybersecurity, no longer want to hear that the sky is falling. Instead, they want the CISO’s focus to stay on growth and profitability while protecting the enterprise from cyberattacks. With the proliferation of ransomware, CISOs must not only prevent, detect, and remediate security risks, but now must consider how resilient the systems are from cyberattacks that can put the company out of business. CISOs must also focus on how quickly the company can recover from a cyber event.
The good news for CISOs is that many of these roles have been elevated to a genuine C-level position. The bad news is that their role is primarily an advisory one, secondary to what leaders see as acceptable risk. Considering the increasing pressure from the Securities and Exchange Commission (SEC) and Department of Justice regarding CISO accountability in the wake of a cyberattack, this position is quickly becoming untenable.
The Next Stage for CISOs
To be successful today, CISOs need to develop new skills while maintaining strong fundamentals. Here’s how this can be accomplished.
-
Learn how to talk to the board. CISOs need to be negotiators. They need to argue in favor of stronger security and convince boards and business units of the risks in terms they understand. How a CISO goes about this can vary, depending on whether board members’ experience is in technology or business. Providing a demonstration that puts the technical risk into a business perspective can be helpful. CISOs should also talk with other C-level executives — as well as CISOs from other industries — to get advance buy-in and different perspectives on similar conversations they’re having with their boards.
-
Get comfortable with gray. CISOs need to be comfortable developing a risk-based approach focusing on the importance of resiliency, because attackers will get in. Developing a tested plan to respond to attacks is just as important as implementing preventative measures. And always remember, you cannot provide absolute security … it’s balancing the risk with the cost.
-
Emphasize fundamentals. CISOs should build a deeply technical team that can focus on key security practices. They should run tabletop exercises on scenarios such as a system shutdown or inability to connect to the Internet. CISOs must not rely on assumptions about how to respond; running through and testing all response plans is vital.
-
Be thoughtful about tech. Security teams today have too much information to wade through. It’s essential to consolidate data and invest in automation. In a former role, I discovered my team was spending one-third of its time gathering data and creating reports. That’s not a good use of anyone’s time. Automation can help. This will also enrich your team’s careers, being able to focus on security and not administrative functions.
-
Document everything. When a damaging incident happens, the blame is often laid at the CISO’s feet. In recent years, CISOs at major companies have been let go, called to testify in court, and, in some cases, charged with crimes. CISOs should develop a cyberattack response plan, document every step, and follow it rigorously. Doing so might not save the CISO’s job, but it could keep them out of court.
A New CISO for a New Threat Landscape
The enterprise IT landscape has changed significantly over the past 40 years, becoming increasingly dispersed, cloud-based, and central to conducting business. So has the cyber-threat landscape, with breaches now widely considered inevitable. With so much change, it’s unrealistic that the CISO of today should operate in the same way as in decades past. In this new environment, CISOs must redefine how they balance cyber-resilience and operational demands, interact with senior leaders and the board, and deliver team and technical leadership.
