When it comes to cybersecurity governance and management, there is no “one size fits all” approach.
Today’s CISOs have a far wider range of responsibilities than their predecessors as heads of IT security.
The CISO role is no longer purely technical, focused on hardware and endpoint protection and on operations within the organisational perimeter. Today’s CISO is as likely to be involved with software security, cloud applications, security awareness, and user training.
Reporting lines are different, too. Although some CISOs still report to the CIO or even the IT director, they are as likely to have their own seat on the Board. This represents a wider shift in attitudes to information and cybersecurity. Cyber attacks pose an existential threat to organizations. A Board-level response is not just appropriate; it is essential.
The CISO’s Expanding Role
But updating cybersecurity governance should also go hand in hand with developments in the organization’s approach to risk. Cyber threats are no longer something that can be avoided. To a degree, they are a cost of doing business.
There is much commentary around the need for organizations to understand their attitudes to risk. Cyber risk is no exception. Some if not all this responsibility will lie with the CISO. They need to analyze risks, put forward mitigation measures, and present the results to the board.
As well as monitoring new and changing threats, CISOs need to stay ahead of developments in technology.
These includes cloud technology, artificial intelligence and machine learning, as well as the use of advanced analytics and sensors. Some of these developments are specific to security and are the key to providing a faster response to more damaging attacks. Others are being driven by the needs of the wider business to improve its agility, flexibility, and customer responsiveness.
Add to this the need to keep up with changing regulatory demands, firmer enforcement of compliance, new patterns of work, and a lower tolerance for downtime, and it is clear that a single CISO is no longer a workable solution.
A New Structure: An Office of the CISO
These growing responsibilities are prompting forward-thinking organizations to look again at how the CISO role is organized. In larger businesses, there is a strong case for appointing multiple CISOs in a way that covers business units, geographies, or specific areas such as operational technology or software development.
So, should organizations try out new models for the CISO role? It is increasingly clear that a one-size-fits-all approach will not work. And it is just as clear that a single CISO will struggle to run all aspects of cybersecurity and risk in an enterprise.
One idea that is gaining ground is the “office of the CISO," or a multiple CISO structure. This might emerge around a “super CISO” with overall responsibility for security and risk, heading up individual CISOs or security leads for business units or geographies. Annother version could see security leaders aligned by function, with a CISO for manufacturing, for the supply chain, and for the CTO’s office, as some examples.
Bringing security together in this way should also help the organization to adapt to other changes in risk and security. Physical and IT – or more appropriately data – security are already converging. And effective cybersecurity depends increasingly on well-trained and well-informed people. The CISO’s department is as likely to be involved in security awareness and education, as it is with technical measures such as firewalls or threat detection.
Creating a chief security office or an office of the CISO integrates these disciplines and skills. It should make the security function more responsive and more adaptable but also more resilient. Workloads are spread across a team rather than resting with one individual, and a team approach allows a degree of specialization. The overall security lead will then report to the board.
And it also lays the groundwork for future development of the security role. In larger organizations such as the financial sector or government, it is already common to have 1,000 or more staff working in a security role. That will only grow, as the office of the CISO takes on responsibility for physical security, crisis management, and business continuity.
Whichever way it is organized, it is clear that the CISO’s position is now closer to the boardroom than the basement.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.