Ever since the role of the chief information security officer (CISO) was first created in 1994, the position has been treated like the pesky youngest sibling in the C-suite family. In the office, the CISO wasn’t given the same voice as the chief information officer (CIO) or other executives. During meetings of the board of directors, the CISO often wasn’t given a place at the table, and digital defense wasn’t treated as highly important for the business.
Now that CISOs have greater access, directors and other C-suite members are more willing to see that their domain isn’t a separate entity but needs to be part of overall business plans. So, how has this change come about? How did the CISO come to gain a seat at the table with the rest of the C-suite? And, what do they need to do in order to succeed there?
CISO Brought to the Fore
Nowadays, entities across industry verticals have suffered major data breaches or been the victim of high-profile ransomware attacks. Because of this, cyber defense has taken on a new urgency. At the same time, there has been a slow shift of the duties of the CISO. Twenty years ago, the typical CISO was someone who had good tech skills first (often coming from an IT role) and could understand basic defensive tools.
“Now, a good CISO will have regular access to the board and be known around their organization for their advocacy of infosec, good leadership and their knowledge of how tech can be used to help the business,” Mark Ward, senior research analyst at the Information Security Forum, says in an email interview.
What Makes the CISO Unique in the C-Suite?
All of these acronyms for different C-suite titles can be confusing. Most people know the terms ‘CEO’ and ‘chief financial officer,’ and their job descriptions are consistent. There is no question about who is in charge of finances or overall leadership. But when you get to tech leadership, the titles become a little murkier.
In addition to CIO and CISO, businesses may have chief technology officers, chief security officers and chief data officers. There is overlap, and not all companies will have each of these positions.
The CIO is in charge of IT, while the CSO handles all security across the board, physical and digital. The CISO handles data, systems and network security. Originally this position was created to handle cyberattacks against a financial entity, but today, the role of the CISO is much more complex. The CISO’s responsibilities include leading the team handling real-time threats and mitigation of attacks, overseeing the security architecture and the protection of the corporate infrastructure, and implementing security policies and management designed to foresee and address risk. These can include security awareness training and creating repair protocols.
New Soft Skills
Where it started out as a tech-centric position, the CISO role has begun to change. Now, soft skills are as important as technical skills. According to research from Information Security Forum, today’s CISO needs to be a good manager and have people skills, as well as seeing how cyber risks fit into business overall. They need to understand the goals of the wider business and how those intersect with security.
“It is a position that has become defined by personality, history, practice and the demands of individual organizations, rather than through clearly defined policies and procedures,” the research notes. “Next-generation CISOs will need to respond to these forces and take a keen interest in a wide variety of topics to stay at the top of their game.”
Many CISOs will have an engineering or IT background, which is important for the architecture and infrastructure side of the job, but good defense is also about building partnerships. Practicing good security hygiene doesn’t come naturally to anyone, so it is the CISO’s job to be a teacher and mentor. They should be able to talk openly with everyone from the company president to the front desk receptionist and everyone along the supply chain. A standoffish CISO will discourage employees from coming forward to report a mistake (like clicking on a link) that could lead to a major cyber incident. Also, the CISO must build a solid knowledge base of every step in the business structure. The systems they oversee should run in tandem with other parts of the business, not slow down production.
From Executive to the Board Room
In the past, most members of the C-suite didn’t understand what the CISO’s role was. CISOs often had to report to other leaders. The CIO’s job included giving cybersecurity reports to the board of directors, if the topic was even on the agenda. What changed is the amount of digital tools in the workplace and the rise of digital risks.
This knowledge comes from seeing the actual damage done by digital attacks. However, truly effective messaging across the C-suite requires another one of the CISO soft skills — good communication. CISOs must research defensive systems that also balance return on investment and other business goals. They must explain what they see back to the board in order to get proper funding and support.
The role of the CISO is evolving, just as cyber threats evolve. The importance of digital defense has finally reached the board table, and it is up to tomorrow’s CISO to make the most of the change.