What will the CISOs of 2020 look like?

Chief information security officers (CISOs) are increasingly being stretched between overseeing their company’s information security team and liaising with the board on budget, business strategy and new threats. And with these security heads also contending with a serious skills shortage, compliance and legislation, we look what the role could look like in 2020.

Ever since its inception in the late 1990s, the CISO job has tended to be a very technical job. The CISO would likely report to the CIO and have a varied background as a system or network administrator, or perhaps as a security analyst in a security operations center (SOC). Almost all CISOs were male, with either experience in computer science or perhaps as a senior manager in the military.

However, this traditional view of the job has shifted in more recent years thanks not only to workforce diversification, but also to a growing desire for security to be more aligned with business interests.

As a result, today you’ll find male and female CISOs, from all backgrounds, offering a variety of skills and experiences. They may not be all CISSP qualified, but they know how to project manage, communicate, and to build a business case for information security.

Some of these next-generation CISOs have come from areas you wouldn’t necessarily associate with infosec, such as psychology, sociology and law.

However, the job is not an easy ride, despite the lucrative salary. The job responsibilities are ever increasing, the hours are long, and failure around any security incident almost always results in dismissal.

[ ALSO: Are tech giants really diversifying their workforce ]

“The role of CISO continues to evolve in that the expectation now is that the CISO not only be security savvy, but also technically adept and business aware,” says Becky Pinkard, director of the security operations center at British publishing house Pearson. “The right CISO is the ultimate weapon in the resource arsenal against cyber-security issues.”

Neil Thacker, information security and strategy officer at web security software vendor Websense, believes that businesses will increasingly look for this person from other lines of business.

“New CISOs originate from other areas of the business areas already aligned to risk,” he told CSO Online. “Fewer will originate from an audit and compliance background but a closer understanding of legislation, governance and ultimately risk is important with a necessary skillset to demonstrate understanding in this area. 

“The traditional route to the role of CISO may also continue with technical, consultant and adviser skills all considered as a good background to the role.” 

Board buy-in still a problem

Cisco’s Annual Security Report last year suggested that CISOs are out of step with their own security teams, while other studies have raised serious concerns about the supply chain and incident response capabilities. Meanwhile, age-old problems like IT-led reporting lines and getting board buy-in continue to fester – showing that the job continues to have many challenges.

Nic Wells, CISO at UK bus company Arriva, says that some businesses still view the CISO as “purely an IT role” which “should not be involved in other business functions”. He admits that his biggest challenge is “demonstrating the value of information security and good risk management in financial terms to the business”.

Thacker says that a disconnect with the board remains a serious problem for most CISOs.

Neil Thacker, information security and strategy officer at web security software vendor Websense

“A closer collaboration with the board is an urgent change needed.  A discussion on business risk, less so business threat needs to take place with the board at regular intervals. 

“The role [of the CISO] also has to change to include shared ownership of incidents and risk. Many organizations have data and risk owners assigned pervasively across the organization yet very few empower these owners and delegate adequate responsibility.”

Thacker added that security managers will in future have to consult more with data protection and legal teams, due to new global data protection laws, and changing budgets from network to data security spend.

“The current challenge today is the complexity of the role and the ability to manage events and incidents in a timely manner whilst achieving the requirement to meet compliance and legislation requirements. The complexity has only accelerated with third-party risk now a common custodian role today’s CISO has to take on. It’s a day job like no other.” 

Andrew Rose, CISO at air traffic management company NATS, believes that future CISOs will have to become more focused on business strategy.

“The CISO role is becoming more business focused. My role is about influencing, stakeholder management, positioning and communication. My role is not terribly about making decisions, doing risk assessments or understanding the latest technology solution out there on the market.

“It’s all about getting the board’s head in the right place so that they’re OK with spending money and putting resource into this, and that they realize the benefit in it. I don’t think I am alone in a CISO operating at that level, and I think more CISOs will have to do that in future.”

‘Visionary’ CISOs on the rise

Pearson’s Pinkard agrees, adding that businesses should be seeking a security ‘visionary’.

“In the coming years, organizations will have to find the right combination of experience, leadership, financial knowledge, business insight and security know-how. They’ll have to couple this with a forward-facing visionary – someone who can marry the necessary ‘old school’ approach with the evolutionary thinking that is required to excel digitally.”

Phil Cracknell, information security consultant, believes meanwhile that the CISO role could evolve to tie-in with that of the Chief Risk Officer (CRO).

“The CISO will become a subordinate role to the CRO, focusing back on technology whereas the CRO will have wider business risks to consider.” Cracknell adds that the role could even become “part-man part-machine”, due to the emergence of real-time alerts through Artificial Intelligence.

Thacker suggests that the emergence of business-aligned security chiefs could result in the creation of the Cyber Security Strategy Officer (CSSO) role.

“The CISOs of 2020 will be more business aligned and business relationship orientated. They will be closer to the company’s assets with regard assigning ownership and accountability and will be accountable for contributing meaningful metrics to measure the risk exposure to board level. 

“Key Risk Indicators will be a key measurement of success with a move away from the tactical threat-based strategies many deploy today.”

2020 chiefs

Rose says that current and future CISOs should look to leverage internal training to further their career, and to learn more about the business.

“Internal management training is good. They’re effectively a bit like a mini MBA. You get to run a pretend company, go to educational classes about finance and marketing…that’s the sort of gold dust that CISOs need to know now.

“They need to be a much more rounded business professional. If they aren’t they’ll get replaced. Because if the CISO goes to the board and talks about technology, viruses and TCIP packets, they will be not invited back.”

Wells urges prospective CISOs: “Learn the business and evolve your ability to act as the interpreter/translator between the technology teams and the business functions. Be able to explain technology risks in the terms of a business such as exposure, reputational impact and financial risk.”

Drinkwater is an experienced journalist covering information security and a contributor to CSOonline.

Join the CSO newsletter!

Error: Please check your email address.

More about CiscoCSOPearsonRoseWebsense

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By Doug Drinkwater

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts