CSO's CISO Executive Career and Leadership Success Guide

A lot has changed since the early years, when enterprises first began embracing the CISO position. Back then, the CISO role was primarily a technical one: control user access, secure the databases, find and patch vulnerabilities, keep the malware out, and eventually to help build secure websites and eCommerce platforms. In those days, most of the highly proprietary data resided within the local area network, the data center, or within PCs and notebooks.

We didn't know it then, but information security was a more straightforward technical challenge than it is today.

One of the things that dramatically changed the role of the CISO at first was the rise of privacy laws such as GLBA and HIPAA, which required the first waves of regulatory compliance efforts, reports, and the ability to show that security privacy compliance measures were in place to outsiders.

Today, the CISO plays a more central role in helping to guide enterprise risk management, governance, and regulatory compliance, in addition to all of the traditional technical security functions.

No easy task, to be sure.

The shifting threat landscape

The very natures of the threats CISOs fight have also dramatically changed. At one time, skilled adversaries were far fewer - and still fewer attackers were motivated by criminal profit. The financial gain wasn't yet readily apparent, or so easily had. But that would change and criminals would take notice.

Take a look at some of the most recent and damaging security breaches in Taylor Armerding's The 15 worst data security breaches of the 21st Century. There, he looks at many, but not all, of the significant breaches that struck retailers, tech companies, financial services, entertainment providers and more in the past decade and a half.

And few would doubt that "security breaches at companies like Target and Neiman Marcus have placed [CISOs] these professionals on the front line of defense - and generated significant attention from the C-suite and boardroom," as Matt Comyns, global co-head of the cybersecurity practice at Russell Reynolds Associates said inside this question and answer article, Inside the changing role of the CISO.

There is no doubt about it: Enterprises and governments everywhere now know that if they are going to succeed in the years ahead, they are going to have to do so by ensuring that their data and applications and information systems are resilient and secure. But just as threats have changed, so has the nature of the business-technology systems they defend.

From virtualization to public, private and hybrid cloud architectures, cloud and web-centric applications, to the speed and agility with DevOps as well as the continuous integration and continuous delivery pipelines, the systems enterprises build and how they build them is changing so very rapidly.

And it's not just the type of, and how enterprise business-technology systems are built, but also where all the data are going. Not only is data traveling on more mobile devices, but enterprise networks are being extended now to the physical world, with the Internet of Things (IoT). And these networked systems will be managing automated building systems, fleets of trucks and autos, factory equipment, industrial SCADA systems, and more. This will profoundly change what is at stake when breaches are successful.

The future role of the CISO

While the CISO has been proven to help improve organizational security and improve the outcomes when security breaches do occur, it doesn't mean that the value of the CISO can be taken for granted. Broadly speaking, CISOs often report that they have a tough time communicating this to business leadership, whether that is the owner, the board, the CIO or the CFO.

This is why it's crucial that, to succeed, CISOs need to master how to communicate the value of their information security and risk management program to the business. And as attackers and business-technology systems continue to evolve in numbers and sophistication and regulatory mandates grow more intense -- successfully meeting the information security challenge is just going to grow harder in the years ahead.

To help you, we've put together this guide that focuses on CISO career and leadership success, which we will regularly update, to keep CISOs informed about what they need to know in order to succeed.

The conversation security leaders need to have about Amy Pascal's departure

Three questions security leaders need to ask the executives and board in the wake of Amy Pascal's departure.

Are you immune from this very real risk to your tenure as CSO?

As we work to adjust our bias for breach prevention, the real concern is how the response is handled. Some steps to help ensure you get it right.

The CSO of the future

What skills, background and education does a security executive need if they want their career to evolve?

Inside the changing role of the CISO

Matt Comyns, global co-head of the cybersecurity practice at Russell Reynolds Associates, talks with CIO.com about the challenges, opportunities and changing role of today's Chief Information Security Officer.

If you lose your key staff, are you prepared to maintain security?

Leaders need to assess and prepare for the security impact of key people leaving the organization while making it better for those who stay.

CISOs taking a leap of faith

More CISOs are embracing new career paths within the industry.

Ants and elephants in the CISO's office

A CISO lives a precarious life.  A head hunter once told me that the average CISO at large corporations lasts about 18 months before being fired or replaced.  That's because he or she faces two kinds of threats in the jungle of business -- ants and elephants.

Is the CISO role too big for one person?

Paul Groce, Global Head of CIO/Technology Operations for executive search firm CTPartners, says the CISO role has evolved beyond the scope of one position in recent years.

Former Zynga CSO: Innovate or Die

Cloud Security Alliance co-founder and former Zynga CSO Nils Puhlmann reflects on what he's learned and explains why he thinks the industry needs more pioneers.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityCISOcareersSecurity LeadershipNeiman MarcusIT managementcareerRussell Reynolds AssociatesTarget

More about CSORussell Reynolds AssociatesTechnologyZynga

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by George V. Hulme

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place