The Strategic Evolution of CISO Roles in Cybersecurity
Learn why empowering CISOs is crucial for organizational resilience.
William Wetherill, CISO of DefenseStorm, sheds light on how CISOs shift from technical guardians to strategic leaders to guide organizations through cybersecurity challenges.
The Chief Information Security Officer (CISO) role is increasingly recognized as critical for any organization to pursue its strategic objectives effectively. They are the guardians of information security, tasked with minimizing material impact from cyber incidents. Traditionally, CISOs have been relegated to a technical role, primarily concerned with implementing security measures to protect an organization’s IT infrastructure. However, with the increasing complexity of cyber threats and the growing dependency on digital resources, the understanding of the role of CISOs has evolved.
Today, CISOs are expected to take a more strategic role, developing and leading the information security program, educating and managing technology risk in collaboration with business leaders, and continuously evaluating and managing the organization’s cyber and technology risk posture. Due to the level of accountability and liability associated with the role, CISOs must have a seat at the decision-making table. This is not just about giving CISOs a voice but about recognizing the importance of cybersecurity and integrating it into the overall business strategy while cultivating trust and a reasonable expectation of accountability. This means being involved in strategic discussions, having the authority to sanction significant changes in cybersecurity, and having the support of the board and executive leadership.
The Case for Change
The recent SolarWinds case has fueled concerns about the failure to prioritize cybersecurity and transparency, but it’s also prompted a more discriminatory view of the level of liability on CISOs. The Securities and Exchange Commission (SEC) charged SolarWinds and its CISO with fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities.
The complaint alleges that SolarWinds and its CISO defrauded investors by overstating SolarWinds’ cybersecurity practices and understating or failing to disclose known risks. This case underscores the importance of transparency in cybersecurity practices and the potential legal and financial consequences of failing to do so. It also highlights the need to clarify the authority of CISOs to sanction meaningful change while ensuring that the entire C-suite is committed to prioritizing cybersecurity.
Strategic Roles of CISOs in Cybersecurity
For CISOs to effectively protect their organization, it’s time to expand their strategic roles and clearly establish their authority to make significant decisions. Executive leadership can work with CISOs to expand their roles in the following seven ways:
1. Risk Management: Executive leadership can proactively identify, assess, and mitigate cybersecurity risks. This involves understanding the organization’s risk appetite and aligning the cybersecurity strategy accordingly. They can use risk assessment tools and methodologies to identify potential vulnerabilities and threats and develop mitigation strategies. This also includes continuously monitoring and updating the risk management plan to adapt to the changing threat landscape.
2. Information Security Policy Development: CISOs can lead the development and implementation of cybersecurity policies and procedures. This includes setting standards for data protection, network security, and incident response. They can work with various stakeholders to develop policies aligned with the organization’s objectives and regulatory requirements. These policies should be regularly reviewed and updated to remain practical and relevant and have approval from senior leadership.
3. Training and Awareness: Launch cybersecurity awareness programs to educate employees about potential cyber threats and the importance of adhering to security policies. These programs can include regular training sessions, workshops, and simulations to help employees understand their roles and responsibilities in maintaining cybersecurity, which fosters a security-aware culture where every employee truly embraces the importance of their role in maintaining the security of the organization.
4. Incident Response Planning: CISOs should play a crucial role in planning and executing incident response strategies. This involves developing a plan to manage a security breach and mitigate its impact. They should build and test processes designed to coordinate the various teams to quickly and effectively respond to security incidents. This also includes conducting post-incident reviews to learn from the incident and improve the organization’s response in the future.
5. Collaboration with Business Units: Work closely with different business units to integrate cybersecurity considerations into business decisions. This ensures that security is not an afterthought but a vital component of the business strategy. They can guide and support business units in implementing security measures and complying with security policies.
6. Staying Current with Trends: Stay updated on the latest cybersecurity trends, threats, and mitigation strategies. This knowledge can inform strategic decisions and ensure the organization’s security measures are up-to-date. They can participate in industry forums, attend cybersecurity conferences, and collaborate with other organizations to stay informed about the latest developments in the field.
7. Regulatory Compliance: CISOs can spearhead compliance efforts with relevant cybersecurity regulations. This helps ensure the company avoids fines and potential legal issues while strengthening the organization’s security posture. They can work with the legal and compliance teams to understand the regulatory requirements and ensure the organization’s practices align with them.
See More: 3 Metrics CISOs Should Present to the Board and How to Calculate Them
Collaborating with the Executive Leadership Team
Along with this expanded strategic role, CISOs can significantly enhance an organization’s cybersecurity posture and resilience against cyber threats by shifting the sole burden from the CISO to shared responsibility across the c-suite as a collective effort. CISOs should collaborate with executive leadership to review and make determinations based on their recommendations while ensuring that security measures are aligned with the organization’s broader business objectives.
Additionally, they should work in conjunction with the executive team to develop comprehensive risk strategies to establish acceptable risk thresholds and proactive steps to mitigate risks to an acceptable level. CISOs should also have direct communication with the board of directors, enabling them to candidly discuss security concerns and recommendations. With the necessary resources, established authority, and a shared responsibility model, CISOs are able to perform their duties better.
Advanced Technology Implementation Lead by the CISO
CISOs have pioneered technological advancements, which have also contributed to significantly reshaping their roles. They have been instrumental in adopting and promoting new technologies to bolster security programs in innovative ways. Steve Katz, widely recognized as the world’s first CISO, provides an excellent example of how a CISO can leverage advanced technology to transform an organization’s security path.
Following a significant hack, Citicorp’s board instructed its CEO to recruit a security executive. Steve Katz was placed in the first-ever CISO role, and his approach to the position was innovative for its time. He saw his role as serving the business, not just the IT department. He believed that cybersecurity was a tool for managing business risk. He spearheaded the development of more robust security protocols, including advanced encryption for data transmission and improved authentication processes for system access. Katz also worked to get antivirus software as well as security for email systems into place for personal computers, which were now being used more frequently. Katz not only enhanced Citicorp’s security measures but also set a precedent for the role of CISOs in organizations, highlighting the importance of implementing advanced technology in the path of security.
CISOs continue to innovate with advanced technology by leveraging Artificial Intelligence (AI) and Machine Learning (ML) for User and Entity Behavior Analytics (UEBA) and monitoring tools, enhancing their ability to detect and respond to security threats. Software-defined Infrastructure, infrastructure as code, and software-defined networks, have also been embraced to create more flexible and secure IT environments. Other notable examples of advanced technology implemented to enhance security include orchestration and automation tools such as Security Orchestration, Automation, and Response (SOAR) to reduce reaction time and the need for increased specialized staffing.
CISO Leadership in Cybersecurity Governance
As we move forward, CISOs should be integral to the decision-making process, with the authority to affect significant changes in cybersecurity. Their strategic importance must be recognized, and cybersecurity must be woven into the fabric of the overall business strategy. This is not just about avoiding legal and financial repercussions but about safeguarding the organization’s reputation, ensuring the success of strategic initiatives, and, ultimately, protecting the bottom line.
The role of CISOs in cybersecurity governance is not just indispensable. It is fundamental. Their leadership, expertise, and strategic vision are essential in safely steering organizations through cyber threats’ turbulence. Their role is not just about managing risks but enabling trust, resilience, and growth. The future of cybersecurity governance is linked to the strategic role of CISOs, making them not only guardians of information security but also architects of digital trust.
Image Source: Shutterstock
MORE ON CISO (chief information security officer)
