Back in the early days of networking, many companies assigned all of the responsibilities to anyone who showed any aptitude towards operating a computer. In many companies, this was an accountant or someone else who also managed sensitive financial information. The assumption was that the person managing the corporate books was the most trustworthy person in the organization. This is perhaps true of finance, but as you can imagine, not only were the networks poorly managed, but the security consisted of whatever the software manufacturer put into place.
As computer science evolved not only as a discipline but also as a career, more companies recognized the need for more qualified individuals to manage the machines. Along with the evolution of computing, security slowly emerged. However, it creeped along with the same approach as the early networking days, that is, it was trusted to the network administrators. Fortunately, the position of security engineers and analysts became more commonplace, eventually rising to the level of Chief Information Officers and Chief Information Security Officers.
The early CISOs were often little more than figureheads in many companies. In many cases, the CISO title was added on to the responsibilities of the Chief Operations Officer or the Chief Administrative Officer. This was mainly because cybersecurity was still not taken seriously. As more and more companies fell victim to attacks, government regulations started to include the CISO as a vital component of a full cybersecurity program. Not only did the CISO role become codified in law, but the entire role of the CISO also started to shift.
A CISO in the Modern World
One way that the CISO role has changed is through the increased existence of a remote workforce. This expansion of the network perimeter has increased the complexity of security management. Part of the complexity is through the use of personal computing devices that are introduced into the corporate network.
Another amendment to the CISO role has been brought about through cloud computing. Not only has the workforce become remote, but the entire data center has also been moved to a remote location. In some ways, this has made part of the CISO role a bit easier by removing some of the burden of managing an on premise data center. However, this ease is offset by the added responsibility of securing data outside of the corporate walls, which also presents new challenges and makes the CISO role harder still. One of the main challenges is that cloud computing creates an infrastructure fluidity that can quickly exceed strategic planning.
Perhaps the most glaring change in the role of the CISO is that the job is no longer primarily technical. The modern CISO needs to know the technology, but more importantly, they must understand how to make a business case for support of cybersecurity initiatives. Along with that, the CISO must be attuned to business risk. Through these developments, the CISO role is becoming more tech adjacent.
As a discipline, cybersecurity has come a long way. In fact, just a few years ago, finding a cybersecurity focus in an institute of higher learning was non-existent. Now, cybersecurity is a recognized path towards a career. Similarly, the CISO role currently seems to only exist via certification authorities. However, with the expanding job responsibilities and the importance of the CISO position in all organizations, it is very likely that CISO track will be added as a business major in many universities.
To learn more about the changing role of the CISO, download your copy of this white paper: https://www.tripwire.com/misc/the-changing-role-of-the-ciso.