The Evolution of the CISO
If there is anything we know for certain, it is that change is a constant, particularly in the cybersecurity domain. However, the rate at which the world hurtled through its digital transformation journey over the last few years would have never transpired had it not been for the pandemic. Although we were always evolving towards greater digitalisation and had certain drivers in place to nudge the process along, every step was calculated and with the option to hit pause. That is, until Covid propelled us forward, for better or for worse.
Today, organisations must contend with an ever-growing battalion of cybercriminals, backed by the wealth of skills, resources and networks offered on a flourishing black market. It is no longer a question of “if” but “when” an organisation falls victim to an attack. The cybersecurity landscape has evolved, and alongside this, so too has the role of the CISO.
For decades, CISOs and their teams were laser focused on a singular objective : protect the company from cybersecurity threats. They would scour their respective networks for vulnerabilities and endeavour to close all gaps, often at the expense of progress and innovation. Therefore, earning a reputation as the ‘Department of No’. Yet, operating with such a conservative mentality is detrimental to business growth, let alone survival. Of course, taking the other extreme – feigning ignorance and neglecting to implement any security measures – could jeopardise business continuity as well. So, CISOs today are having to adopt a strategic role to find the happy medium, balancing risk with innovation and cost. They can no longer just champion one pillar but must understand the nuances and interdependencies of all three, manage the risk accordingly while enabling the business to meet its long-term objectives.
The Advocate and Influencer
In fact, it is becoming harder to be a purely technically driven CISO. Not only do they have to understand and manage risk, but CISOs now need to have the skills to communicate this effectively. Although boards are increasingly mindful about the importance of cybersecurity, they still need someone who can translate the technical jargon. They want to know what the risks are and how they can be reduced, while achieving bottom-line savings and top-line growth. With that said, CISOs with an MBA background may be better equipped. The same can be said of communicating to employees and even the wider public. Within the company, CISOs must champion the company’s security culture and empower employees to own their responsibility within it. Equally, they are becoming the face of consumer trust.
Whether a consumer and/or business partner trusts a company to protect their data is progressively a key factor in purchasing or partnership decisions. According to a report by Edelman Trust, over 80% of consumers highlight trust among the most important factors in their buying decisions. Therefore, CISOs are having to both, ensure the company is well-protected and meeting compliance requirements, as well as instil this confidence in customers and partners.
It is important to note here that the value the modern CISO brings to the company moves beyond its technical function as they become pivotal in driving growth. Therefore, reinforcing the need for them to have greater influence from within the C-Suite; akin to the COO and CFO.
The Mentor and Recruiter
As many of us in the industry are aware, we face a significant skills shortage. In a report published by (ISC)², there is a global cybersecurity workforce gap of 3.4 million people with 70% of organisations believing they do not have enough cybersecurity staff to be effective. This too has given rise to heightened mental health challenges as security teams face burnout. As such, mentorship and coaching are creeping into the job descriptions of CISOs – informally, at least.
Alongside their everyday job, CISOs today must have the interpersonal skills to recognise when a member of the team needs support as well as the ability to train and guide aspiring cybersecurity professionals through their career journey. Some are even beginning to leave their LinkedIn inboxes open to answer questions from prospective recruits and are taking the time sell the job during industry conferences.
Last but not least, is the new role that CISOs play as ‘liaison’ between the company and its third-party partners. The vast majority of our data and business processes are now being held outside the confines of an organisation. More often than not, it is held in the cloud or through SaaS applications. This means CISOs have to step up to build rapport with their partners and ensure security standards are met.
All in all, it is clear that the job scope of the modern CISO has broadened. They are being asked to adopt a more holistic approach, to have interpersonal skills, effectively communicate, collaborate and integrate themselves into business strategy. The CISO has certainly come a long way from being a purely technology role.
To learn more about the changing role of the CISO why not check out our podcast ‘Cyber Insiders’, where we take a deep dive into what skills today’s CISO needs to be successful in the role – Andreas Wuchner on the evolving role of the CISO.
To find out more about Adarma and how we can help strengthen your cybersecurity posture, please contact us.
Stay up to date with the latest threat insights from Adarma by following us on Twitter and LinkedIn.