Whether it’s a question of to whom the CISO reports or quantifying what the CISO is actually responsible for, the role has changed over time, leaving many wondering how to balance the competing demands of IT, security, innovation and compliance.
In the final panel that closed out the second annual Infosecurity North America conference in New York, Martin Gomberg, the author of CISO Redefined, moderated a discussion, “The Changing Role of the CISO: Balancing the Competing Requirements of IT, Security, Innovation and Compliance to Optimize Business Performance and Shareholder Value,” that aimed to answer the ambiguous question of where the CISO should sit.
Participating in the conversation were Bernadette Gleason, VP BISO at Citi; Randle Henry, former CISO at Hewlett-Packard and consultant at Tevora; Ben Harris, VP of policy/compliance and CISO at Rakuten Marketing; and Derek Vadala, global head of cyber risk group at Moody’s.
“It seems like we are facing these challenges newly now, but it’s been almost 15–16 years that the CIO role has been in transition,” Gomberg said. With the CIO role now focusing more on innovation, what then happens to the role of the CISO?
The answer wasn’t quite clear. Across the panel, the roles and responsibilities differed in their responses to the question of what drives them on a daily basis. When asked whether compliance, innovation or risk is their greatest driver, Henry said risk, while Harris noted the influence of GDPR and Vadala noted the adoption of innovation.
“I focus most of my time on policy, strategy and architecture and a lot less time on the operation piece. One of the biggest challenges is the amount of tasks that have to be done,” Harris said.
Vadala echoed that the accumulation of responsibilities contributes to the challenges of today’s CISO. “I think in some cases those roles have accumulated a lot of aspects that are in some cases misaligned and may be becoming a little inefficient because it doesn’t allow individuals and teams to focus in on problem areas.”
"So how does today’s CISO go about making sure they are getting the budget they need?" Gomberg asked.
“Something that I struggle with is that the budget is pushed down from the top still and set, which is unfortunate, but we try to go bottom-up across the different groups and identify the risks that need to be addressed,” Harris said.