Based on research carried out with 60 current CISOs and Forrester’s observation of the industry, Andrew Rose - principal analyst at Forrester Research - announced that the role of CISO as we know it today will “fall from under our feet”. The choice it leaves, he said, is to either step up to be the corporate information risk manager, or to step down to a support-based role, as a technical expert for example. “CISOs need to think about their career path because they can’t stay where and as they are”, he advised.
“Being a CISO is a tough job. There are too many problems to balance and too many vendors shouting at you”. Rose recalled the evolution from the tecchie CISO in 1998 “who always said no” to today’s CISO who is focussed more on business, delivery and engagement. “The role will evolve even more radically between now and 2018”, he advised. “CISOs are needed more than ever, as security is becoming more important”, he said.
To enable a smooth transaction into the future CISO, “we need to get angry, fight, and keep innovating.” Neither staffing challenges nor third-party supplier challenges are going away, argued Rose. “Technology is becoming more pervasive, customer expectations are increasing and new business transactions are taking off.” The ‘internet of things’ and big data will also pose great challenge for tomorrow’s CISO according to the Forrester analyst.
The 2013 CISO is focussed on five areas in the below order:
- Prepare
- Respond
- Detect
- Oversee
- Liaise
Today’s CISO, however, predicts that the 2018 CISO will have different priorities and predict these to be:
- Liaise
- Response
- Oversee
- Detection
- Prepare
“Technology is pushed to the bottom of the list in 2018”, Rose evaluates. “Technical skills were rated least important in a list of skillsets required for the CISO in 2018.”
To kick-start the evolution to become the CISO of the future, the first step is to admit the failures of CISOs to date, Rose advised. “There has been a lack of business alignment, a lack of business engagement, and a lack of strategic innovation.”
Personal development, suggested Rose, should focus less of CIISP and SANS training and more on management and leadership training. “Plan a path away from operations and technology and transform the organisation yourself”, concluded Rose.