Light Dark
May 20, 2016 By Christophe Veltsos 3 min read
Risk Management

As boards and top executives come to terms with their responsibilities regarding cyber risks, attention is increasingly being directed at the leadership qualities of chief information security officers (CISOs).

To get a handle on cyber risks, board directors and executive management have to rely on CISOs to evaluate, quantify and communicate — perhaps even translate — the various cyberthreats into tangible figures for management to act on.

About the Outdated Roles

Yet the CISO who has gotten the organization to where it is today may not be the appropriate leader to help steer it through the challenges of 2016 and beyond. Here are five characterizations of CISOs that could be wrong for the organization from a cybersecurity risk perspective.

The Technologist

Picture a CISO who is stuck mainly looking for and securing IT risks, primarily through technical controls. This can be due to the CISO’s own limited understanding of the nature of cyber risks or the refusal by leadership to grasp the broad implications of today’s cyberthreats.

The Low-Level Manager

Even today, there are CISOs who do not have the levels of visibility, support and interactions required to understand and communicate the organization’s cyber risks to the board.

The Yearly Visitor

Many organizations have at last added cyber risks to their agenda, albeit on a yearly or, at best, quarterly basis. When the CISO is given 10 or 20 minutes once per quarter to present the organization’s cyber posture, the quality of interactions is unlikely to be sufficient to truly evaluate, direct or monitor the organization’s cyber risks.

The Scarecrow

Only 10 years ago, business managers could argue that security wasn’t needed at product launch and instead would be addressed with the next update. Today, security has veto power, and this power may have grown to terrifying proportions: If innovations are slow or altogether stopped, it could be a sign that security gets in the way.

The Subordinate of the CIO

For decades, security was relegated to the IT function, and for those organizations advanced enough to have CISOs, the position often reported up to the CIO role. As such, the security budget — with all its implications on the range of activities possible within the organization — was always a fraction of the IT budget. Security took a back seat to driving the organization forward. CISOs stuck in the position may lack the power or resources needed to truly get a handle on security threats.

A New Role for the CISO

As has been said repeatedly, security is no longer an IT problem — assuming it ever was. For 2016 and beyond, board directors and top leadership need a CISO who is a true partner. For the CISO, this means:

Balancing Risks and the Business

CISOs must be cyber risk leaders. Or, should the organization have a chief risk officer (CRO), they can strongly align themselves with the CRO.

A chief information security officer also needs to be a business-focused leader who excels at anticipating, scoping, evaluating and properly translating cyber risks for the rest of the leadership to participate in. As the IBM “Securing the C-Suite” report pointed out, the most successful organizations are those in which there is a high degree of collaboration within the C-suite.

Furthermore, CISOs and CIOs need to pay special attention to including the rest of the CXOs in deliberations and decisions regarding cyber risks. CISOs should partner with CFOs, CHROs and CMOs to ensure there are no dark corners when it comes to risks in the organization.

Aligning With the C-Suite

Among other key recommendations from the “Securing the C-Suite” report is that CISOs should be empowered “with the mission of managing information security risk across the enterprise and leading the initiative among the C-suite.”

This should encourage them to “elevate and regularly discuss cybersecurity at C-suite and board meetings, and engage risk, finance, marketing, human resources” and other stakeholders. This implies that the CISO role is correctly positioned to have the proper level of visibility and interactions across the organization. The most effective CISOs will also possess leadership qualities on par with their CXO peers.

Moving Toward Cyber Resilience

One of the primary tasks of CISOs should be helping the organization improve its handling of cyber risks and moving toward cyber resilience. In addition, the reporting of cyber risks should tend toward a continuous capability (i.e., what’s the cyber risk today) instead of a snapshotting capability (i.e., what was it at a given point in time). The organization should not wait for the next quarterly meeting to generate a snapshot of its cyber risk today.

As part of this process, which is one of three key areas of concern for 2016, “organizations should assess the extent to which their security capabilities are maturing, evaluate whether cyber risks are integrated within the larger enterprise risk management system and continually examine their organization’s ability to be resilient when it comes to the cyber realm.”

Cybersecurity risks can impact any and all areas of the business at lightning speeds. The stakes are high — definitely high enough for boards and leadership to ask themselves whether the CISO who got them there is still the best person to lead the organization forward tomorrow.

 |  | 
Christophe Veltsos
InfoSec, Risk, and Privacy Strategist - Minnesota State University, Mankato

More from Risk Management
November 15, 2024

Cybersecurity dominates concerns among the C-suite, small businesses and the nation

4 min read - Once relegated to the fringes of business operations, cybersecurity has evolved into a front-and-center concern for organizations worldwide. What was once considered a technical issue managed by IT departments has become a boardroom topic of utmost importance. With the rise of sophisticated cyberattacks, the growing use of generative AI by threat actors and massive data breach costs, it is no longer a question of whether cybersecurity matters but how deeply it affects every facet of modern operations.The 2024 Allianz Risk…

November 13, 2024

Adversarial advantage: Using nation-state threat analysis to strengthen U.S. cybersecurity

4 min read - Nation-state adversaries are changing their approach, pivoting from data destruction to prioritizing stealth and espionage. According to the Microsoft 2023 Digital Defense Report, "nation-state attackers are increasing their investments and launching more sophisticated cyberattacks to evade detection and achieve strategic priorities."These actors pose a critical threat to United States infrastructure and protected data, and compromising either resource could put citizens at risk.Thankfully, there's an upside to these malicious efforts: information. By analyzing nation-state tactics, government agencies and private enterprises are…

November 12, 2024

6 Principles of Operational Technology Cybersecurity released by joint NSA initiative

4 min read - Today’s critical infrastructure organizations rely on operational technology (OT) to help control and manage the systems and processes required to keep critical services to the public running. However, due to the highly integrated nature of OT deployments, cybersecurity has become a primary concern.On October 2, 2024, the NSA (National Security Agency) released a new CSI titled “Principles of Operational Technology Cybersecurity.” This new guide was created in collaboration with the Australian Signals Directorate’s Australian Cyber Security Centre (ASD SCSC) to…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature