This is Part 3 in our six-part series on creating a strategy map for security leaders. Be sure to read Part 1 and Part 2 for the full story.

The second row of our strategy map for security leaders is about how CISOs should strive to be perceived by the organization’s key stakeholders in order to deliver on their strategic objective of managing risk.

Modern Information Security Is in a State of Transformation

As shown by the NG Security Summit, recent conversations among more than 60 information security leaders underscored the ongoing transformation of modern information security. In these discussions, a great deal of attention was given to the transformations taking place at a tactical, technical level:

  • Attackers are increasingly sophisticated, targeted and organized.
  • Defenders continue to look for the most effective ways to prevent, detect and respond more quickly to the threats, vulnerabilities and exploits that put their organizations at risk.

To be clear, these tactical transformations are the many disruptive changes taking place in a technical context.

At the same time, CISOs are also at various stages of a strategic transformation of information security, as well as a strategic transformation in themselves as its leaders. This shift calls for leaders to go far beyond their traditional comfort zones and technical subject matter expertise. This second strategic transformation is related to the first, but it’s also quite different. It should be thought of as an addition, not a replacement.

In addition to technical knowledge and subject matter expertise, security leaders are increasingly aware that business acumen and the ability to serve as a trusted adviser to senior business leaders are essential attributes. This is especially true if they are to maximize and successfully sustain the relevance of information security to key stakeholders.

It’s essential to the continued relevance of CISOs, as well. This very particular set of skills is not necessarily easy to find in a single person, but the emerging pattern for successful CISOs is clearly headed in the direction of the business-oriented technologist and the tech-savvy businessperson.

What CISOs Are Talking About

The transition to a dual or blended role is not happening overnight. For example, both sides of the coin can be seen in the leading challenges that this particular group of security leaders recently identified in roundtable discussions at the NG Security Summit.

Roundtable Discussion 1: Threat and Vulnerability Landscape

Roundtable Discussion 2: Best Practices in Security Controls

Roundtable Discussion 3: Governance, Risk, Compliance and the Business Value of Information Security

· Phishing attacks against employees

· Malware becoming more prevalent than ever and the commoditization of malware

· Personalized attacks tailored to a specific organization and its weaknesses

· Security for mobility and cloud computing

· Keeping up with the pace of change regarding technology, regulations, globalization of business and third-party relationships

· Managing talent and culture

· Using the language of risk properly and quantifying risk in terms of business impact

· Establishing a clear understanding within the organization about ownership of risk and the power and influence of the CISO to drive decisions about risk

· Ability to communicate clearly and consistently about the business value provided by information security

· Ability to hire, develop and retain the right people with the right skills for the information security team

Scroll to view full table

In the workshops and panel discussions that took place over three days, a simple analysis showed that these conversations continue to skew toward the technical side, with words like security, breach, threat, breach, risk, data and cloud being much more prevalent than business or value. This strongly suggested that information security leaders continue to be focused predominantly on technical and defensive dimensions.

The transformation noted above must happen — and there is ample evidence that it is starting to happen — but it seems clear that it will take place incrementally over an extended period.

This finding is by no means a fluke or an anomaly based on a relatively small sample size. As described in the blog “RSA Conference 2015: What We Talked About,” a similar analysis found the 77 most frequent words from the titles and descriptions of more than 300 sessions. These words were mentioned a total of 8,687 times, broken down as follows:

  • Words or topics that are technical: 6,222 (72 percent); and
  • Words or topics that are nontechnical: 2,465 (28 percent).

Focusing in on just those words that are related to security solutions being used in a business context revealed a similar, predominantly technical focus:

  • Words or topics related to people: 204 (5 percent);
  • Words or topics related to process: 662 (15 percent);
  • Words or topics related to technology: 2,871 (67 percent); and
  • Words or topics related to the business: 562 (13 percent).

It’s probably stretching it too far to suggest that if the goal is a 50/50 balance between the roles of subject matter experts and trusted advisers, the current split is skewed about 70/30 towards the technical side. But that’s what these numbers show.

Security Leaders Must Serve Both Roles: Subject Matter Experts and Trusted Advisers

What’s important to acknowledge is that in our strategy map for security leaders, the key stakeholders in the organization must come to perceive CISOs and the information security teams as both technical subject matter experts and trusted business advisers.

As depicted in the second row of the generalized strategy map, both roles are essential if the information security function is going to deliver successfully on its primary objective, which is to help the organization manage both types of security-related risks.

To make this perception a reality, security leaders have to take on the primary responsibility for bridging the gap between the two cultures. This means reconciling the divide that often leaves technologists on the one side and businesspeople on the other.

The first rule of evangelization is to meet people where they’re at; simply waiting for the other side to change is not the answer. Neither is complaining about not being understood or appreciated, or failing to communicate properly in the language of risk, which business leaders already understand and regularly act upon. It falls on the security leaders to take proactive steps in the right direction.

More from CISO

CEO, CIO or CFO: Who Should Your CISO Report To?

As we move deeper into a digitally dependent future, the growing concern of data breaches and other cyber threats has led to the rise of the Chief Information Security Officer (CISO). This position is essential in almost every company that relies on digital information. They are responsible for developing and implementing strategies to harden the organization's defenses against cyberattacks. However, while many organizations don't question the value of a CISO, there should be more debate over who this important role…

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…

6 Roles That Can Easily Transition to a Cybersecurity Team

With the shortage of qualified tech professionals in the cybersecurity industry and increasing demand for trained experts, it can take time to find the right candidate with the necessary skill set. However, while searching for specific technical skill sets, many professionals in other industries may be an excellent fit for transitioning into a cybersecurity team. In fact, considering their unique, specialized skill sets, some roles are a better match than what is traditionally expected of a cybersecurity professional. This article…