CISO Rising: New Roles and Responsibilities
By Al Lakhani and William Beer
As the number and severity of cyber-attacks continue to rise, the presence and power of chief information security officers (CISOs) have increased significantly, and this job is now among the fastest growing positions in the corporate C-suite. Emerging out of the shadows of IT, today’s CISOs are finally being granted long overdue oversight and authority, as corporate leaders begin to recognize that cyber-security is an enterprisewide issue posing enormous reputational risk.
As the ranks of CISOs expand, however, their success at protecting against an unrelenting moving target will be defined by their approach to the role and how that role is ultimately embraced by the organizations they’ve been hired to serve.
When the title of chief information security officer first began appearing on business cards more than a decade ago, the roles and responsibilities of the position bore little resemblance to their current reality. Most CISOs reported to the CIO, were entirely focused on technology applications, operated in silos and had little understanding of how to tie security to the needs of the business.
Since then, the role has evolved considerably. Rather than managing technology, today’s CISOs are responsible for a much deeper and broader set of interrelated tasks involving risk and governance. Increasingly, they are reporting to the CFO or chief risk officer, rather than to the CIO. CISOs are engaged directly with the board of directors and are also public facing. They’re being given their own budgets and are charged with not only defending against breaches—but also protecting and enhancing the value of the company and its brand.
A Bridge Beyond IT
As threats mount, it has become abundantly clear that effective cyber-security demands a focus on much more than technology. IT can no longer simply “fix” cyber-threats. The demands of the position require in-depth knowledge of the company and its challenges and strong relationships with key stakeholders, as well as technical acumen.
The entire executive team, including the board of directors, must assume a new management and governance role at the intersection of technology, business and risk— and they must be equipped to own such risks. The CISO must provide the support to fulfill this new mandate, bridging the gap between operations and IT to keep critical business systems, data and other assets secure.
To succeed in this role, CISOs must have deep knowledge not only of IT, but of the entire enterprise, forging strong relationships with the company’s customers, top management and external suppliers. They also must be granted greater authority, direct reporting lines to the C-suite, and regular interaction with the board as it steps up its oversight and involvement in defending and responding to cyber-attacks.
While a CISO’s specific responsibilities may vary from organization to organization, having the position report to the IT department is no longer appropriate.
With CISOs advancing beyond the limits of IT, they are also commanding separate budget lines—another recognition that the issue now extends well beyond technology. This will continue to be important as long as the economics of investing in cyber-security remain unclear. While the threats are apparent and growing, persuading corporate leaders to devote sufficient resources to safeguard their organizations continues to be an uphill battle, since the value of averting an attack is difficult to quantify.
Unfortunately, many companies are still unlikely to approve large increases in cyber-security investments until they have actually experienced an attack. Instead, executives and boards typically spend the amount they feel is proportionate to protect against the downside risk they anticipate. In many organizations, that comes down to guesswork.
Today’s CISOs are playing an important role in making the dynamics of investing in cyber-security much more transparent by casting the discussion in terms of overall enterprise and reputational risk—not just IT spend. They are ensuring that investments in cyber-security defenses target the right resources and address the right risk at the right time, making their roles much more strategic in nature.
The goal is to spend wisely, not just to spend more. Only when an organization has a bedrock of thoughtful and cost-effective cyber-security in place across its operations and supply chain is it in a position to assess the incremental benefits that could flow from additional investment.
Just as the new-style executive leaders and CISOs do, an effective cyber-strategy bridges technology and business in a holistic way. It enables and ensures the integration, analysis and monitoring of business insights and data from across the organization to support activities that include controls monitoring, threat detection and reporting.
In addition to reducing cyber-risk, the best strategies will have a broader scope and impact, providing a platform for value creation and growth by underpinning confidence in the security of online activities. These approaches also will enable businesses to take calculated risks, invest in new ideas and realize the true potential of e-commerce.
A Foundation for Best Practices
As today’s CISOs seek to create holistic and nimble cyber-security plans, they focus on these core elements, which form a foundation for best practices:
· Proactive planning based on a comprehensive vulnerability assessment. As converged security executives, CISOs are now charged with fully assessing where a company may have shortfalls in its cyber-security program. This includes a thorough assessment of all external-facing areas of vulnerability, value and supply chain risks, and the level of employees’ awareness of their role in cyber-attacks.
Assessments may also include benchmarking against competitors, which can enable companies to craft robust crisis management and response plans and build robust business cases for investments.
· Cross-business, cross-functional cyber-security committees. By generating proper support from each area of the business (legal, marketing, finance, human resources, customer service, etc.), CISOs are working to ensure that responses to attacks are never in a silo. For the legal department, this may mean gaining an understanding of how an attack could affect operations in various geographies and the required response plan to notify stakeholders in that specific region.
For human resources, this may include digital, social and online employee training that focuses on how to be more aware of the sources of risks, how to identify them and how to combat them. Overall, this approach ensures that each functional sector of a company has a vested interest in the effectiveness of the cyber-security strategy.
· Cyber-security strategy as a business advantage. The CISO’s role also extends to educating external stakeholders on the positive attributes a cyber-security strategy can bring to operations. In fact, much like the Good Housekeeping seal in the United States or the Kitemark in the United Kingdom, a proven cyber-security strategy can often serve as a powerful business differentiator and also can support stakeholder confidence before, during and after an event.
As attacks mount and the distinction between internal and external threats becomes less relevant in today’s cyber-world, CISOs are playing an increasingly important role at the intersection of technology, business and risk—and they are wielding much more influence than ever before. Indeed, CISOs, working in partnership with the C-suite and board of directors, are at the forefront of helping to make radical shifts in conventional thinking when it comes to cyber-security.
Therefore, the more authority CISOs are granted, the more they are embraced throughout the organization. And the more success they have moving from firefighting to a more proactive stance, the better prepared companies will be to protect their critical assets from an escalating global threat.
Al Lakhani and William Beer are managing directors at global professional services firm Alvarez & Marsal.