CISO Rising: New Roles and Responsibilities

By Al Lakhani and William Beer

As the number and severity of cyber-attacks continue to rise, the presence and power of chief information security officers (CISOs) have increased significantly, and this job is now among the fastest growing positions in the corporate C-suite. Emerging out of the shadows of IT, today’s CISOs are finally being granted long overdue oversight and authority, as corporate leaders begin to recognize that cyber-security is an enterprisewide issue posing enormous reputational risk.

As the ranks of CISOs expand, however, their success at protecting against an unrelenting moving target will be defined by their approach to the role and how that role is ultimately embraced by the organizations they’ve been hired to serve.

When the title of chief information security officer first began appearing on business cards more than a decade ago, the roles and responsibilities of the position bore little resemblance to their current reality. Most CISOs reported to the CIO, were entirely focused on technology applications, operated in silos and had little understanding of how to tie security to the needs of the business.

Since then, the role has evolved considerably. Rather than managing technology, today’s CISOs are responsible for a much deeper and broader set of interrelated tasks involving risk and governance. Increasingly, they are reporting to the CFO or chief risk officer, rather than to the CIO. CISOs are engaged directly with the board of directors and are also public facing. They’re being given their own budgets and are charged with not only defending against breaches—but also protecting and enhancing the value of the company and its brand. 

A Bridge Beyond IT          

As threats mount, it has become abundantly clear that effective cyber-security demands a focus on much more than technology. IT can no longer simply “fix” cyber-threats. The demands of the position require in-depth knowledge of the company and its challenges and strong relationships with key stakeholders, as well as technical acumen.

The entire executive team, including the board of directors, must assume a new management and governance role at the intersection of technology, business and risk— and they must be equipped to own such risks. The CISO must provide the support to fulfill this new mandate, bridging the gap between operations and IT to keep critical business systems, data and other assets secure.

To succeed in this role, CISOs must have deep knowledge not only of IT, but of the entire enterprise, forging strong relationships with the company’s customers, top management and external suppliers. They also must be granted greater authority, direct reporting lines to the C-suite, and regular interaction with the board as it steps up its oversight and involvement in defending and responding to cyber-attacks.

While a CISO’s specific responsibilities may vary from organization to organization, having the position report to the IT department is no longer appropriate.

With CISOs advancing beyond the limits of IT, they are also commanding separate budget lines—another recognition that the issue now extends well beyond technology. This will continue to be important as long as the economics of investing in cyber-security remain unclear. While the threats are apparent and growing, persuading corporate leaders to devote sufficient resources to safeguard their organizations continues to be an uphill battle, since the value of averting an attack is difficult to quantify.

Unfortunately, many companies are still unlikely to approve large increases in cyber-security investments until they have actually experienced an attack. Instead, executives and boards typically spend the amount they feel is proportionate to protect against the downside risk they anticipate. In many organizations, that comes down to guesswork.

Today’s CISOs are playing an important role in making the dynamics of investing in cyber-security much more transparent by casting the discussion in terms of overall enterprise and reputational risk—not just IT spend. They are ensuring that investments in cyber-security defenses target the right resources and address the right risk at the right time, making their roles much more strategic in nature.

The goal is to spend wisely, not just to spend more. Only when an organization has a bedrock of thoughtful and cost-effective cyber-security in place across its operations and supply chain is it in a position to assess the incremental benefits that could flow from additional investment.