The traditional career path for a chief information security officer (CISO) is fairly straightforward. An individual begins their career in IT but ultimately moves to security after demonstrating a security mindset. Once established within the ranks of information security, the professional receives promotion after promotion until they attain the title of CISO. There, they enjoy the highest pay that infosec as an industry can afford while reporting directly to the chief information officer (CIO) about all things related to security.
Sound familiar? I bet it does…at least for the moment.
Things are rapidly changing for today’s CISOs. In its State of Cybersecurity Report 2019 (SOCR), Wipro found that CISOs have come under heightened scrutiny from the board. The Indian multinational corporation also found that just over a fifth (21 percent) of CISOs had begun reporting directly to CEOs. (That said, 51 percent of these executives still counted CIOs as their direct supervisors at the time of the study.)
Wipro noted in its report that organizations might be starting to move away from the traditional reporting model for CISOs because of the desire to avoid conflicts of interest. The CIO is chiefly concerned with implementing new technology projects to support the organization, whereas the CISO is interested in minimizing the organization’s risk level. These operational interests oftentimes align…but not always. Per Dark Reading, the CIO—and IT as a whole—tends to be less risk-averse than the CISO, who uses information security to keep the organization safe.
Even so, it’s irresponsible to reduce the changes identified by Wipro to mindset differences between CIOs and CISOs. Research has shown that organizations are safer when CISOs report to CEOs instead of CIOs. For instance, in it’s Global State of Information Security Survey 2014, PwC along with CIO magazine and CSO magazine found that organizations with the CISO-CIO reporting model suffered 14 percent more downtime than those organizations where the CISO reported directly to the CEO. The study also found that any other CISO reporting structure actually reduced financial losses; for those organizations where the CISO reported to the CEO, losses were 46 percent lower than those where the CIO supervised the CISO.
An even more significant force is the fact that role itself is changing as it begins to receive more governance responsibilities. Many of these duties take the CISO beyond the narrow scope of IT technology and into the domain of writing policies, transforming processes and developing educational programs. As former CIO Scott Koegler writes for Security Intelligence:
If security were simply a subset of IT infrastructure, it would make sense to maintain a reporting structure in which security professionals report to the CIO. However, every facet of the enterprise depends on a secure IT infrastructure, and today’s CISOs are finding that they need to work with multiple C-level authorities.
In other words, CISOs are beginning to directly report to CEOs more frequently because security as an issue extends beyond IT. Kal Bittianda, head of executive recruiter Egon Zehnder’s North America technology practice group, explained for Security Roundtable that digital security is an enterprise-wide concern. As such, CISOs need to have the freedom to tackle its many facets, including the use of security awareness training and other educational campaigns to improve employees’ digital preparedness.
This begs a question: what does this mean for the types of skills that CISOs should use on the job? Are their security skills as important as they used to be?
That’s up for debate. On the one hand, CISOs need their security skills in order to evaluate the organization’s risk posture and craft an appropriate security strategy. That’s not to say that they should be building their own Splunk reports as part of their everyday work functions, but they should be familiar with a variety of security technology and principles so that they can formulate as comprehensive a security strategy as possible.
On the other hand, CISOs need to draw upon other skills so that they can effectively explain security risks facing the organization to the board and direct their strategy’s implementation across the entire enterprise. Security personnel can’t necessarily pick up these skills while working their way up the infosec ladder. In fact, there’s something to be said about CISO candidates moving through the facility, legal, HR and marketing departments to be able to both understand and approach digital security as a holistic problem.
So, what should these skills be exactly?
Tim Erlin, Tripwire VP of Product Management and Strategy, and Thom Langford, experienced CISO and Founder of (TL)2 Security Ltd, tackled this very topic in “Modern Skills for Modern CISOs.” Over the course of the webinar, Tim and Thom each identified the five skills that they feel are the most important for the modern CISO. They then discussed the merits of their respective skills lists to better understand what skills are necessary for CISOs to be successful in today’s evolving enterprise.
Learn what skills now can most effectively help CISOs fulfill their job duties by viewing Tim and Thom’s webinar here: