Chief Information Security Officer (CISO)! it's a position that first appeared in the 1980s when Steve Katz was given the title while working with Citibank in New York City. (In the interest of full disclosure, I have had the pleasure of working with Steve in the past. He is a friend and I hold him in the highest regard). The title of CISO really only began to gain momentum in the late 1990s and since then has come to be characterised by a sense of constant, rapid evolution.
Initially employed by large organisations within the financial industry, CISOs can now be found in virtually every private and public sector. Oftentimes, working alongside Chief Information Officers (CIOs) and Chief Technical Officers (CTOs), they are charged with protecting the information and the systems that allow the business to function, from misuse of compromise.
The status of the CISO was given a boost in 2002 when the Sarbanes-Oxley Act came into force in the United States. These new regulations set out baseline security requirements for IT and data security and caused many organisations to push the challenge higher up their priority lists.
When they first started to become part of organisational management structures, CISOs tended to be located within the IT department and reported to the CIO. Back then, security was seen as simply another element of the IT infrastructure, alongside servers, applications and networks, that needed to be managed.
Then a watershed moment occurred in 2009 when Google, along with a number of other high-profile companies, admitted that its China-based IT systems had been compromised during the Operation Aurora targeted attack. Across all sectors companies realised that, if an organisation like Google could be attacked, they needed to take their own cybersecurity much more seriously.
As a result, a growing number of organisations chose to break out the CISO and security team into a separate department outside of IT, given part of the security function was to audit the IT department. In some instances, the security function became part of a governance group that comprised people such as the Chief Risk Officer, compliance staff and legal counsel. It was felt that, by taking this approach, cybersecurity would receive the management attention and resources required to effectively guard against attacks.
Making this kind of structural change also helped the CISO to better undertake one of their most important roles - the auditing of security tools and processes across their organisation. Regular and comprehensive audits are recognised as being a fundamental element of any enterprise-wide security strategy.
This task often proves difficult when the security function is kept within the wider IT department. In this situation, the CISO is essentially faced with the awkward prospect of auditing their IT teammates and making a status report to the CIO - who is also their boss.
Changing the reporting lines of the CISO role also helps to make overall security more transparent. Recommendations for changes can be made in a wider business context and not have to be part of particular technology strategies or decisions.
Having a more transparent security role can also make it easier for the CISO to achieve requested budget increases. When the board clearly understands the situation and any inadequacies that might existing across the organisation, they will be more likely to open the purse strings and invest in required tools and skills.
In yet another sign of how the CISO role has evolved, some organisations are now changing the management structure so that the IT department and CIO actually report directly to the CISO. This is being done so that all technology-related decisions are seen from the perspective of the impact they will have on overall security. It also helps to prevent technical decisions made in one area of IT having a detrimental security impact on another.
The CISO of the future
The CISO role has certainly evolved during the past two decades and this will continue to be the case in the future.
In Australia, the introduction of mandatory data breach reporting requirements in February will shine further light on the security team and ensure they remain at the centre of an organisation's planning processes and operations.
There will also continue to be difficulties when it comes to finding sufficient CISOs to fill all available roles. Candidates need a mix of both technical knowledge and skills, as well as an understanding of the business conditions in which their organisation operates. Such a mix can be challenging to find.
In the future, the most successful CISOs will be those who achieve a balance between understanding a myriad of security issues and threats, all the while being fully appraised of how the business functions in order to ensure that the appropriate risk decisions are made. It remains a complex but vital job.