The CISO’s role is never static. Over the last two decades, it has evolved beyond technical IT security. CISOs are now central to their organization when it comes to risk, compliance and governance. And this comes at a time when businesses are undergoing rapid change in the face of changing threats.
In the past, the CISO or head of IT security has been an inward-facing role, ensuring compliance and keeping data secure. But that has changed, with cybersecurity teams more business oriented. That includes supporting new ways of working – a trend that was underway even before the pandemic – secure software development, and helping the organization understand and manage risks.
New Roles of the CISO: Continuity Planning, Incident Response, and Recovery
Customers, service users, and citizens are less and less tolerant of outages, downtime, and data loss. Regulators and stakeholders need to know that the organization can protect sensitive data and deal promptly with a security issue.
All organizations need to plan for business disruption and breaches, both in terms of business continuity and recovery. The responsibilities of security and business continuity are moving closer together in many enterprises. Increasingly, this falls within the CISO’s role. Business continuity is no longer just an IT issue, and it is closely interwoven with security.
CISOs are responsible for information assurance and for making sure the business can recover data and systems. This goes beyond managing IT security tools such as firewalls or anti-virus. The CISO is a key partner in ensuring the business meets the needs for continuity, availability, and integrity alongside other key executives such as the CIO and the chief risk officer.
And with the increasing importance of supply chains – both upstream and downstream – CISOs find themselves working more with suppliers, customers, and other stakeholders.
At the same time, CISOs are responsible for increasingly mission-critical security response functions. This might include a larger team, more sophisticated tools, and even a larger budget. But threat intelligence, SOCs, and threat response teams all need management.
CISOs will need to deal with the aftermath of a breach including data and business recovery. Potentially, they will be liaising with regulators and data protection authorities, and, in cases such as ransomware, with law enforcement. They might even need to provide advice to the board on issues that overlap with legal affairs, media relations, and human resources. This requires the CISO to work with professionals in those disciplines. They need to be team players.
And organizations are also trying to involve the CISO earlier on in new ventures. In software development, for example, the move towards DevSecOps and “shifting left” makes security a vital consideration much earlier in the process. CISOs and their teams then will become much more directly involved in areas such as web application development or the customer experience.
Board-Level Decision Making
This broader role is also reflected in the CISO’s changing status, though
CISOs are now one of the key advisers to boards and increasingly key decision makers. Boards are increasingly aware of the financial, regulatory, and reputational consequences of cyberattacks, breaches, and data loss.
CISOs are now, or should be, central to risk and security planning. To do this, they need to understand the business’s risk appetite as well as advise on how to minimize and mitigate the risks.
This goes beyond technical measures and even the areas of data integrity and business continuity we discussed earlier. It extends into regulatory, geographical, political risk, and economic risk, especially for businesses that operate on a global scale.
Businesses need to understand the cyber (security) environment they operate in. Moving into new territories, or trading with them online, brings with it different security and privacy laws, different approaches to cybersecurity from law enforcement, and even different societal norms. The processes and procedures that work in one country will not always translate to another.
Organizations are aware of this. But they need to bring the CISO in early enough so that cybersecurity risks are factored in alongside commercial considerations. At least then, if the board goes ahead, they do so having considered all the risks.
Moving Towards Advocacy
This, then, sets the direction for the CISO’s future role. The position will be less focused on technical solutions, although these will always be important.
But the CISO will be first and foremost an adviser as well as a promoter of security awareness and skills. Above all, they are an advocate for better security and for best practice in managing risk.
About the Author: Stephen Pritchard is a video journalist, broadcaster, and writer. He works as a freelance producer, presenter, and moderator, and he writes news, analysis, and feature articles for the international and UK press, trade media, and magazines. Stephen’s main beats include technology, telecoms, security, science, and management. He is a contributing editor and columnist for IT Pro and for Infosecurity Magazine. Stephen also writes for a number of newspapers including the Financial Times, the Guardian, and Sunday Times.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire, Inc.
More by Stephen Pritchard
The “Office of the CISO”: A New Structure for Cybersecurity Governance