CISOs have long been tasked with guarding their organizations against cyber attacks, but recently, their roles have evolved beyond security. CISOs used to report to CIOs, but recent research shows that organizations are rethinking this structure, as well as the scope of the CISO’s purview.
Marlin Hawk’s report on the state of the CISO role revealed that more CISOs are reporting to CEOs directly and participating in Board discussions surrounding business risk.
“Today’s CISOs are taking up the mantle of responsibilities that have traditionally fallen solely to the CIO,” says James Larkin, managing partner at Marlin Hawk. “This widening scope requires CISOs to be adept communicators to the board, the broader business, as well as the marketplace of shareholders and customers.”
Here’s how CISOs can reorient themselves to align with the new expectations their companies are placing on them.
Overseeing Trust in its Many Forms
Modern organizations value consumer trust highly. Consumers are highly aware of companies’ data collection practices and view any organization with tainted security track records as untrustworthy. This shift explains why major companies like Cisco and SAP have Chief Trust Officer roles that oversee cybersecurity alongside other sources of business risk, essentially a new twist on what a CISO is all about.
These officers examine the revenue impact of security decisions and the impact infrastructure choices will likely have on customers and their level of trust in a company. As a result, many organizations that never considered pursuing cyber GRC badges are now doing so.
Displaying a GRC certification seal like those offered by ISO and NIST can be a great way to demonstrate organizational commitment to secure business practices. It can also differentiate companies from their competitors who have yet to adhere to these frameworks.
“In the last 12 months, we’ve witnessed a series of events, such as the ones reported by Okta, LastPass, CircleCI, and many others, highlighting how customers’ data is at an all-time high risk of exposure, mishandling, and misuse,” says Arik Solomon, co-founder and CEO of Cypago. “In turn, it created a massive spike in customers’ demand that their service providers and vendors prove compliance with security and privacy frameworks.”
From a CISO’s perspective, auditing company processes can deliver greater rewards than a badge. The certification process gives CISOs valuable data regarding shortcomings they can address. By using Cypago’s cyber GRC automation tools, CISOs can ensure their companies always adhere to high standards. Automation of this sort gives CISOs more time to focus on strategy while turning security and privacy trust into a business asset.
Proactive Risk Management
Because so many of today’s businesses operate primarily in digital spaces, cybersecurity has a stronger impact on revenue than in the past. As a result, CISOs aren’t just identifying security risks when they review security postures. They’re identifying revenue risks that impact their organizations’ futures. Boards are now asking CISOs to project business risk and the impact of security choices on the organization’s future.
CISOs must therefore move beyond a narrow security risk focus and broaden their scope. “The CISO role must evolve from being the ‘de facto’ accountable person for treating cyber risks,” says Sam Olyaei, a Gartner VP, “to being responsible for ensuring business leaders have the capabilities and knowledge required to make informed, high-quality information risk decisions.”
Remote working policies are a good example of CISO impact. CISOs oversee the policies and solutions that define people’s ability to log into company networks from outside the office. However, if company infrastructure and business risk make remote work unfeasible, CISOs can define company work policies through recommendations to the CEO.
These decisions have implications beyond ongoing operations, as they also impact a company’s ability to attract talent or to downsize offices. CISOs must now look outward, a stark contrast to the inward focus the role once had.
Everything from evaluating IoT adoption to educating employees on the latest cyber risks is under the CISO’s purview. Successful CISOs are embracing this change and leaving a lasting impact on their organizations. End-to-end security tools like Fortinet can assist in several CISO tasks, giving them the time to enhance their risk evaluation skills and analyze the impact on their organizations.
Becoming a Collaborator-in-chief
Alain Sanchez, Fortinet Field’s CISO, is aware of the changing demands placed on CISOs and highlights a few examples of new queries that today’s CISOs need to field from other members of the c-suite – queries relating to due diligence for company acquisitions and even reports for board relations.
Rather than speaking from the voice of ‘Mister No’ the CISO has turned into a source of inspiration for innovation, rallying data analysts and software developers under the same banner of secure operations development,” Sanchez notes. “In order to do so, the CISO and their team have initiated a healthy dialogue between production, marketing, finance, and even HR and legal. As a consequence, this has shifted the focus from bits and bytes language towards more business-oriented notions such as risk, market footprint, and compliance.”
Non-IT executive insights can have a huge impact on security and risk management effectiveness as business drivers, making cross-functional collaboration all the more important.
For instance, CISOs can better evaluate the security risks of internal department tools if they understand a business unit’s functions and goals. In some cases, the data security risk posed by an automated solution might outweigh the efficiency it brings. CISOs cannot present such well-rounded findings unless they collaborate with business unit leaders.
Collaboration of this kind also spreads security awareness and the need for a security-first culture. By collaborating with HR, CISOs can change their companies’ security training programs to build a more robust framework that repels threats.
An Ever-changing Role
As cybersecurity has emerged as a major factor for business success, CISOs have experienced plenty of changes in their roles. While they have certainly dealt with changing security threats in the past, modern CISOs must now broaden their scope and secure their companies from business-wide risks.