The Evolving?and Essential?Role of the CISO

Today’s cyber-security environment is daunting, so assembling the right combination of technology and business processes is critical. In fact, Rick Siebenaler, chief technology officer for Deloitte Advisory, says that chief information security officers (CISOs) must rethink how they approach cyber-security.

Technical knowledge increasingly takes a back seat to understanding how strategic initiatives create risks. There’s also an urgent need to develop a security program that balances business performance with protecting customers, employees, intellectual property and a brand’s reputation.

Baseline: What is driving the need for change in the CISO position?

Rick Siebenaler: Cyber-security is no longer relegated to the back office of the IT shop; it has been elevated to a business level issue, and it reaches all the way to the executive suite. An incident can inflict major financial harm and cause damage to the brand. It can also lead to regulatory and compliance problems.

As a result, there’s a need to look beyond firewalls, antivirus, identity management and other basic security measures and think within a more strategic framework. CISOs must communicate with CIOs, CEOs and the board of directors.

Baseline: How does this change the role of the CISO?

Siebenaler: The CISO position needs to evolve beyond bits and bytes and an understanding of infrastructure. CISOs must become more business-literate, engage with executives and articulate issues and problems, and adopt an approach that revolves around risk-based decision making as opposed to locking everything down—which is more in line with the historical view.

Senior executives don’t understand the IT environment, and they don’t want to understand it. They simply want to know that the CISO is making wise, informed decisions.

Baseline: How does a CISO navigate this environment most effectively?

Siebenaler: The traditional way of viewing things is that the CISO’s job is to protect everything. They have served as the technology guardian. Today, it’s important to step back from firefighting and adopt a more strategic role.

In our lab, we try to frame the key issues and lead CISOs through the process of blocking and tackling more effectively: Have they prioritized risks? Do they understand how technology addresses these risks? Do they have the right team? Do they have the right stakeholder relationships? Do they have a vision about where they want to go? Do they have an action plan that aligns with their strategic decision?

Baseline: How does this play out in a practical sense?

Siebenaler: This might range from adopting new IT systems or security applications to finding new team members or redefining relationships with senior executives. It’s critical to have a close relationship with an advocate, including someone who can build a bridge to the entire executive suite. But it’s also important to stay tuned to a fast-changing IT environment and how threats are changing.

Finally, it’s critical to be resilient. While disaster recovery and business continuity are important, there’s also the question of how an organization will act and respond when an event takes place. There are a lot of nuances that are easily overlooked.

Baseline: What final thoughts do you have?

Siebenaler: Information security is kind of like a 500-piece puzzle. What CISOs and others must realize is that you cannot protect everything to the extent desirable. So, you really have to understand your assets, recognize your organization’s priorities and structure, and make informed decisions based on risks and protections.

In order to do this, CISOs must get out of firefighting mode, devote adequate time to developing a strategy, and build a case for an adequate budget by clearly identifying and quantifying risks in a way that senior executives understand.