Ever since its inception in the late 1990s, the CISO job has tended to be a very technical job. The CISO would likely report to the CIO and have a varied background as a system or network administrator, or perhaps as a security analyst in a security operations center (SOC). Almost all CISOs were male, with either experience in computer science or perhaps as a senior manager in the military.
However, this traditional view of the job has shifted in more recent years thanks not only to workforce diversification, but also to a growing desire for security to be more aligned with business interests.
As a result, today you’ll find male and female CISOs, from all backgrounds, offering a variety of skills and experiences. They may not be all CISSP qualified, but they know how to project manage, communicate, and to build a business case for information security.
Some of these next-generation CISOs have come from areas you wouldn’t necessarily associate with infosec, such as psychology, sociology and law.
However, the job is not an easy ride, despite the lucrative salary. The job responsibilities are ever increasing, the hours are long, and failure around any security incident almost always results in dismissal.
“The role of CISO continues to evolve in that the expectation now is that the CISO not only be security savvy, but also technically adept and business aware,” says Becky Pinkard, director of the security operations center at British publishing house Pearson. “The right CISO is the ultimate weapon in the resource arsenal against cyber-security issues.”
Neil Thacker, information security and strategy officer at web security software vendor Websense, believes that businesses will increasingly look for this person from other lines of business.
“New CISOs originate from other areas of the business areas already aligned to risk,” he told CSO Online. “Fewer will originate from an audit and compliance background but a closer understanding of legislation, governance and ultimately risk is important with a necessary skillset to demonstrate understanding in this area.
“The traditional route to the role of CISO may also continue with technical, consultant and adviser skills all considered as a good background to the role.”
Board buy-in still a problem
Cisco’s Annual Security Report last year suggested that CISOs are out of step with their own security teams, while other studies have raised serious concerns about the supply chain and incident response capabilities. Meanwhile, age-old problems like IT-led reporting lines and getting board buy-in continue to fester – showing that the job continues to have many challenges.
Nic Wells, CISO at UK bus company Arriva, says that some businesses still view the CISO as “purely an IT role” which “should not be involved in other business functions”. He admits that his biggest challenge is “demonstrating the value of information security and good risk management in financial terms to the business”.
Thacker says that a disconnect with the board remains a serious problem for most CISOs.
Neil Thacker, information security and strategy officer at web security software vendor Websense
“A closer collaboration with the board is an urgent change needed. A discussion on business risk, less so business threat needs to take place with the board at regular intervals.
“The role [of the CISO] also has to change to include shared ownership of incidents and risk. Many organizations have data and risk owners assigned pervasively across the organization yet very few empower these owners and delegate adequate responsibility.”
Thacker added that security managers will in future have to consult more with data protection and legal teams, due to new global data protection laws, and changing budgets from network to data security spend.
“The current challenge today is the complexity of the role and the ability to manage events and incidents in a timely manner whilst achieving the requirement to meet compliance and legislation requirements. The complexity has only accelerated with third-party risk now a common custodian role today’s CISO has to take on. It’s a day job like no other.”
Andrew Rose, CISO at air traffic management company NATS, believes that future CISOs will have to become more focused on business strategy.
“The CISO role is becoming more business focused. My role is about influencing, stakeholder management, positioning and communication. My role is not terribly about making decisions, doing risk assessments or understanding the latest technology solution out there on the market.
“It’s all about getting the board’s head in the right place so that they’re OK with spending money and putting resource into this, and that they realize the benefit in it. I don’t think I am alone in a CISO operating at that level, and I think more CISOs will have to do that in future.”
‘Visionary’ CISOs on the rise
Pearson’s Pinkard agrees, adding that businesses should be seeking a security ‘visionary’.
“In the coming years, organizations will have to find the right combination of experience, leadership, financial knowledge, business insight and security know-how. They’ll have to couple this with a forward-facing visionary – someone who can marry the necessary ‘old school’ approach with the evolutionary thinking that is required to excel digitally.”
Phil Cracknell, information security consultant, believes meanwhile that the CISO role could evolve to tie-in with that of the Chief Risk Officer (CRO).
“The CISO will become a subordinate role to the CRO, focusing back on technology whereas the CRO will have wider business risks to consider.” Cracknell adds that the role could even become “part-man part-machine”, due to the emergence of real-time alerts through Artificial Intelligence.
Thacker suggests that the emergence of business-aligned security chiefs could result in the creation of the Cyber Security Strategy Officer (CSSO) role.
“The CISOs of 2020 will be more business aligned and business relationship orientated. They will be closer to the company’s assets with regard assigning ownership and accountability and will be accountable for contributing meaningful metrics to measure the risk exposure to board level.
“Key Risk Indicators will be a key measurement of success with a move away from the tactical threat-based strategies many deploy today.”
Rose says that current and future CISOs should look to leverage internal training to further their career, and to learn more about the business.
“Internal management training is good. They’re effectively a bit like a mini MBA. You get to run a pretend company, go to educational classes about finance and marketing…that’s the sort of gold dust that CISOs need to know now.
“They need to be a much more rounded business professional. If they aren’t they’ll get replaced. Because if the CISO goes to the board and talks about technology, viruses and TCIP packets, they will be not invited back.”
Wells urges prospective CISOs: “Learn the business and evolve your ability to act as the interpreter/translator between the technology teams and the business functions. Be able to explain technology risks in the terms of a business such as exposure, reputational impact and financial risk.”
Drinkwater is an experienced journalist covering information security and a contributor to CSOonline.