Inside the Changing Role of the CISO

With a number of high-profile security breaches making headlines of late, organizations are increasingly realizing they must beef up their security teams or risk catastrophe. Matt Comyns, global co-head of the Cybersecurity practice at Russell Reynolds Associates, an executive leadership and search firm, sat down with to discuss the changing role of the Chief Information Security Officer (CISO), the global cybersecurity landscape and why finding and retaining elite security talent is critical.

CIO: How has the job description for a CISO changed over the last five to ten years?

Matt Comyns: Compared to just a few years ago, CISOs now face a wide array of risks and responsibilities that have significantly increased the complexity of their role. Security breaches at companies like Target and Neiman Marcus have placed these professionals on the front line of defense - and generated significant attention from the C-suite and boardroom. Leading companies recognize that their ability to confront rising cybersecurity risk is driven by the talent of their CISO - and that companies lacking this talent will become increasingly vulnerable.

CIO: What are some of the major challenges faced by today's CISOs, both technical and business-related?

MC: CISOs face a host of new and emerging challenges, including risks generated by the ubiquity of mobile devices, the global scope of information assets, the difficulty of complying with new regulations and the threat of state-sponsored attacks as well as global cyber criminals. In response to these threats, organizations have elevated the role of CISOs to become a direct report to the chief information officer, chief risk officer or general counsel.

[Related: CISOs Look to Hire White Hat Hackers to Head Off Security Breaches ]

CIO: Where do leading CISOs come from? Are there specific technical skills or business backgrounds that make a candidate more suited for the role?

MC: Our research reveals that CISOs have backgrounds that conform to one or more of the following classifications:

Corporate Cybersecurity 'Lifers'

These executives typically hold degrees in engineering or computer science and begin their careers in cybersecurity at large organizations.

General Technologists

Often holding a technical degree in engineering or computer science, these executives normally begin their career in corporate IT and migrate to a specialization in cybersecurity.

Military or Law Enforcement Professionals

These executives begin their careers in military service or law enforcement, gaining technical expertise through on-the-job experience before rising to a senior cybersecurity position within a corporation.

Or Cybersecurity Product Specialists

These executives begin their career with a vendor of cybersecurity products. Similar to military and law enforcement, they also earn their stripes through practical experience before rising to a senior position.

[Related: Hacker Puts Full Redundancy Code Hosting Firm Out of Business ]

CIO: What differentiates great CISOs from those who are just adequate? What fundamental skills, competencies and experiences are necessary to succeed in the CISO role today?

MC: While strong technical skills are 'table stakes' for success, core leadership and general management competencies make the best CISOs stand out from the crowd. Overall, successful CISOs tend to have the following skill sets in common:

  • Business acumen and analytics
  • Creativity and innovation
  • Business-to-business communication
  • Relationships, influence and presence
  • People leadership

CISOs are distinguished by their ability to define a vision, secure support for that vision with the board and the C-suite, marshal the resources and talent required to translate that vision into reality, and engage the broader employee population to become champions for information security.

CIO: How do companies compete for, attract and retain top CISO talent?

MC: Exceptional talent in the CISO space is scarce. To attract the best candidates, companies must consider four tactics:

CIO: How are CISOs positioned for success? Are there specific support resources and environments that are better-suited to helping CISOs and their teams be successful?

MC: To be effective, cybersecurity must exist as a broad organizational priority that engages all employees. The following factors are critical for success:

Sharon Florentine covers IT careers and data center topics for Follow Sharon on Twitter @MyShar0na. Email her at Follow everything from on Twitter @CIOonline and on Facebook.

Join the CSO newsletter!

Error: Please check your email address.

Tags TargetsecurityNeiman Marcus

More about FacebookRussell Reynolds Associates

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Sharon Florentine

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts