As the role that cybersecurity plays in the business environment grows, Michael Hill investigates how the job of the CISO will change from one which once solely oversaw technical solutions to one that will be ever-more business-orientated
The profile of the Chief Information Security Officer (CISO) has evolved significantly over the last decade or so. With more and more organizations realizing just how important and big the task of protecting their data really is, the need for a lot of businesses to have a skilled, dedicated information security leader has changed from a convenient nicety to a critical element in the success and sustained well-being of a company.
In fact, as Andrew Hay, security expert and CISO, tells Infosecurity, the role of the CISO (or its equivalent) has become as close to an enterprise requirement as we can expect without a government mandate.
“The largest organizations in the world know that having a CISO is a required cost of doing business if they hope to retain customers’ hearts, minds and dollars. This sentiment is beginning to trickle down from the biggest of the big to the mid-market organizations fighting tooth and nail to compete with incumbent firms, protect their intellectual property, and secure the transactional and analytical data generated by their customers”, he says.
A maturing threat landscape coupled with the enhanced profile of the CISO is having a notable impact on the role itself. More than just increased pressure to protect and deliver in a demanding environment, the anatomy of the job is changing, most poignantly moving from one which once solely oversaw technical solutions for particular cybersecurity problems to one that is becoming far more business-orientated.
“The role of the CISO has always – and will always be – changing and evolving and the CISO will need to adapt to new demands and levels of accountability”, explains Amanda Finch, general manager of the Institute of Information Security Professionals (IISP).
This trend will continue into the future, adds Dr Adrian Davis, EMEA managing director, (ISC)2, with the role becoming ever more business-defined. “The challenge [for future CISOs] will be to have enough technical awareness and knowledge to be able to turn the business requirements into working security processes, procedures and technologies”, he says.
Whether they originate from a traditional cyber-tech background or not, for future security leaders, being able to constantly understand, learn and adopt the various technological aspects of cybersecurity will always be important. However, what’s evident is that this will not be the only thing keeping them busy.
As the role cybersecurity plays in the business environment grows, it will be just as − if not more − imperative for CISOs of the future to have the ability to align cybersecurity with various elements of the wider business, and deal with the challenges that presents. This, as Hay argues, will be the greater test: “Technical aspects of technology are relatively easy [to learn]. Understanding the broader application to the business world, however, takes exposure and experience.”
Well, there’s no better place to start than at the top.
“If the CISO learns to communicate in the language of business, their peers within the organization will likely be more receptive to future requests as they arise”Andrew Hay
Getting on Board
As the prevalence of the CISO increases, so will their influence in the one place where key business decisions are made: the boardroom. “CISOs will increasingly be board members or similar,” Finch explains. “This again comes back to the expected increase in desire for accountability.”
This presents CISOs of the future with a real opportunity to become one of the key business leaders in the company, but having a seat on the board is one thing, using it to address key cybersecurity matters is quite another.
“CISO’s have got to be able to express themselves and get the right outcome in the boardroom,” Simon Hember, group business development director at Acumin Consulting, tells Infosecurity. “They have to be able to quantify cyber-risk, and also be able to monetize that risk so it is easily digestible for the board.”
They will need to translate cybersecurity in a way that resonates with business leaders who don’t speak XSS or SQL, but will connect with ROI, customer retention, company reputation and how security affects the bottom line. A strong understanding of those business matters along with the right business communication skills are therefore key. For too long, businesses have suffered from a disconnect between the C-suite and the realities faced by the IT security team, and it will be the responsibility of the CISO to change that.
“Technical jargon might impress but the presentation of a firm business case combined with a detailed risk or threat assessment will be much more impactful,” Hay adds. “If the CISO learns to communicate in the language of business, their peers within the organization will likely be more receptive to future requests as they arise.”
"The CISO and his/her reports will be more like project managers, managing resources to accomplish goals verses reactive tactile responses”Morey Haber
Mind the Resource Gap
That’s a strategy for managing the people already on board though, but what about dealing with what many consider to be the future CISO’s biggest hurdle – the ever-widening cybersecurity skills gap?
With so many unfulfilled jobs in cybersecurity already, and a plethora of research suggesting the number is set to grow over the next five years, it would be naïve to think that a shortage of skilled staff isn’t going to dramatically impact security leaders of the future.
Businesses have been guilty of chasing the ‘five-year experience hires’, deferring to experience to get the people they need. “Clearly, companies can no longer follow this policy and it will fall to the CISO to show leadership in resetting a talent strategy that includes investment in newcomers”, argues Davis, whilst Finch adds that CISOs will also need to give more thought to “growing talent internally, either through apprentice schemes, graduate programs and cross training people from within the business.”
However, the reality is that we have already moved beyond the point where creativity in recruitment alone can help CISOs and their companies meet the needs of the future. For example, businesses will not be spared the rod of regulatory fines (most notably those of the GDPR) if they fall foul of data privacy laws, and the excuse of ‘we are under resourced’ will not wash.
Therefore, as Morey Haber, VP of technology at BeyondTrust, argues, it will also fall on CISOs of the future to bring in and manage specialist services to help them meet demands, outsourcing certain aspects of the operation to service providers who deliver on scale to multiple organizations.
“The shortage of security professionals will warrant using partners, MSSPs, consultants and other shared resources to accomplish goals verses bringing the entire expertise in house”, he says. “This means The CISO and his/her reports will be more like project managers, managing resources to accomplish goals verses reactive tactile responses.”
The Awareness Leader
Stepping into the wider echelons of a business, another significant challenge awaits the CISO: the issue of security awareness amongst staff and users.
In a survey at the Financial Services Information Security Network in 2016, the Network Group Events found that 82% of CISOs who attended were planning to invest in security awareness in the near future.
“Over the past few years, we have seen a radical shift in attitudes amongst CISOs towards user awareness training,” Jake Summerfield, managing director of The Network Group Events, explains. “Whereas this practice has historically been seen as an inefficient and unproductive exercise in the workplace, user awareness training is now viewed as the most effective method of protecting corporate assets.”
This paints an encouraging picture of what future security leaders will have within their remit. Historically, security awareness is an area that has drastically let companies down. As attacks become ever-more human-targeted, a greater focus on addressing insecure behavior to make the ‘human firewall’ a company’s strongest security asset instead of its weakest link can only be a positive thing. However, to get it right, CISOs of the future must learn from mistakes of the past and, in many ways, the present.
The key is to realize that the people who make up a company’s workforce are very diverse, with differing understandings of, and attitudes towards, cyber-threats. Whilst the board will often share common goals for business success, the wider workforce is a far bigger, more varied pool of individuals to manage.
“You have to look at how people learn, and why they learn, and give them a reason to care,” Chris Pogue, CISO at Nuix, explains. “Whether that’s marketing, or sales, or administrative staff, they’re not focused on security day in, day out, so you have to provide a reason for them to care. You need to give them an emotional hook, and once they are emotionally invested they will do just about anything.”
A Learning Curve
As the future CISO embarks on a journey to become a business leader, and dealing with the business challenges that includes, the strongest quality they can demonstrate will be a willingness to constantly learn, grow and develop their skillset.
“Technical security people would do well to invest in courses, training or books that help them grow in key business areas,” Hay advises. “This includes negotiating, leadership, conflict resolution, communications, business writing and human resource management. Not only will these skills be invaluable for their career progression, but it will also help them better understand the business as
a whole.”
If they get this right, adds Finch, the world can be their oyster and the role could have a lot of kudos and the opportunity to really influence at senior levels.
What’s inescapably clear is that for CISOs of the future, the volume will be turned up on all levels providing a high-profile, high-pressure role for gifted people, but while the challenges will be vast, so will be the opportunities to succeed.