January 27, 2016 By Derek Brink 4 min read

This is Part 3 in our six-part series on creating a strategy map for security leaders. Be sure to read Part 1 and Part 2 for the full story.

The second row of our strategy map for security leaders is about how CISOs should strive to be perceived by the organization’s key stakeholders in order to deliver on their strategic objective of managing risk.

Modern Information Security Is in a State of Transformation

As shown by the NG Security Summit, recent conversations among more than 60 information security leaders underscored the ongoing transformation of modern information security. In these discussions, a great deal of attention was given to the transformations taking place at a tactical, technical level:

  • Attackers are increasingly sophisticated, targeted and organized.
  • Defenders continue to look for the most effective ways to prevent, detect and respond more quickly to the threats, vulnerabilities and exploits that put their organizations at risk.

To be clear, these tactical transformations are the many disruptive changes taking place in a technical context.

At the same time, CISOs are also at various stages of a strategic transformation of information security, as well as a strategic transformation in themselves as its leaders. This shift calls for leaders to go far beyond their traditional comfort zones and technical subject matter expertise. This second strategic transformation is related to the first, but it’s also quite different. It should be thought of as an addition, not a replacement.

In addition to technical knowledge and subject matter expertise, security leaders are increasingly aware that business acumen and the ability to serve as a trusted adviser to senior business leaders are essential attributes. This is especially true if they are to maximize and successfully sustain the relevance of information security to key stakeholders.

It’s essential to the continued relevance of CISOs, as well. This very particular set of skills is not necessarily easy to find in a single person, but the emerging pattern for successful CISOs is clearly headed in the direction of the business-oriented technologist and the tech-savvy businessperson.

What CISOs Are Talking About

The transition to a dual or blended role is not happening overnight. For example, both sides of the coin can be seen in the leading challenges that this particular group of security leaders recently identified in roundtable discussions at the NG Security Summit.

Roundtable Discussion 1: Threat and Vulnerability Landscape

Roundtable Discussion 2: Best Practices in Security Controls

Roundtable Discussion 3: Governance, Risk, Compliance and the Business Value of Information Security

· Phishing attacks against employees

· Malware becoming more prevalent than ever and the commoditization of malware

· Personalized attacks tailored to a specific organization and its weaknesses

· Security for mobility and cloud computing

· Keeping up with the pace of change regarding technology, regulations, globalization of business and third-party relationships

· Managing talent and culture

· Using the language of risk properly and quantifying risk in terms of business impact

· Establishing a clear understanding within the organization about ownership of risk and the power and influence of the CISO to drive decisions about risk

· Ability to communicate clearly and consistently about the business value provided by information security

· Ability to hire, develop and retain the right people with the right skills for the information security team

Scroll to view full table

In the workshops and panel discussions that took place over three days, a simple analysis showed that these conversations continue to skew toward the technical side, with words like security, breach, threat, breach, risk, data and cloud being much more prevalent than business or value. This strongly suggested that information security leaders continue to be focused predominantly on technical and defensive dimensions.

The transformation noted above must happen — and there is ample evidence that it is starting to happen — but it seems clear that it will take place incrementally over an extended period.

This finding is by no means a fluke or an anomaly based on a relatively small sample size. As described in the blog “RSA Conference 2015: What We Talked About,” a similar analysis found the 77 most frequent words from the titles and descriptions of more than 300 sessions. These words were mentioned a total of 8,687 times, broken down as follows:

  • Words or topics that are technical: 6,222 (72 percent); and
  • Words or topics that are nontechnical: 2,465 (28 percent).

Focusing in on just those words that are related to security solutions being used in a business context revealed a similar, predominantly technical focus:

  • Words or topics related to people: 204 (5 percent);
  • Words or topics related to process: 662 (15 percent);
  • Words or topics related to technology: 2,871 (67 percent); and
  • Words or topics related to the business: 562 (13 percent).

It’s probably stretching it too far to suggest that if the goal is a 50/50 balance between the roles of subject matter experts and trusted advisers, the current split is skewed about 70/30 towards the technical side. But that’s what these numbers show.

Security Leaders Must Serve Both Roles: Subject Matter Experts and Trusted Advisers

What’s important to acknowledge is that in our strategy map for security leaders, the key stakeholders in the organization must come to perceive CISOs and the information security teams as both technical subject matter experts and trusted business advisers.

As depicted in the second row of the generalized strategy map, both roles are essential if the information security function is going to deliver successfully on its primary objective, which is to help the organization manage both types of security-related risks.

To make this perception a reality, security leaders have to take on the primary responsibility for bridging the gap between the two cultures. This means reconciling the divide that often leaves technologists on the one side and businesspeople on the other.

The first rule of evangelization is to meet people where they’re at; simply waiting for the other side to change is not the answer. Neither is complaining about not being understood or appreciated, or failing to communicate properly in the language of risk, which business leaders already understand and regularly act upon. It falls on the security leaders to take proactive steps in the right direction.

More from CISO

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today