As boards and top executives come to terms with their responsibilities regarding cyber risks, attention is increasingly being directed at the leadership qualities of chief information security officers (CISOs).

To get a handle on cyber risks, board directors and executive management have to rely on CISOs to evaluate, quantify and communicate — perhaps even translate — the various cyberthreats into tangible figures for management to act on.

About the Outdated Roles

Yet the CISO who has gotten the organization to where it is today may not be the appropriate leader to help steer it through the challenges of 2016 and beyond. Here are five characterizations of CISOs that could be wrong for the organization from a cybersecurity risk perspective.

The Technologist

Picture a CISO who is stuck mainly looking for and securing IT risks, primarily through technical controls. This can be due to the CISO’s own limited understanding of the nature of cyber risks or the refusal by leadership to grasp the broad implications of today’s cyberthreats.

The Low-Level Manager

Even today, there are CISOs who do not have the levels of visibility, support and interactions required to understand and communicate the organization’s cyber risks to the board.

The Yearly Visitor

Many organizations have at last added cyber risks to their agenda, albeit on a yearly or, at best, quarterly basis. When the CISO is given 10 or 20 minutes once per quarter to present the organization’s cyber posture, the quality of interactions is unlikely to be sufficient to truly evaluate, direct or monitor the organization’s cyber risks.

The Scarecrow

Only 10 years ago, business managers could argue that security wasn’t needed at product launch and instead would be addressed with the next update. Today, security has veto power, and this power may have grown to terrifying proportions: If innovations are slow or altogether stopped, it could be a sign that security gets in the way.

The Subordinate of the CIO

For decades, security was relegated to the IT function, and for those organizations advanced enough to have CISOs, the position often reported up to the CIO role. As such, the security budget — with all its implications on the range of activities possible within the organization — was always a fraction of the IT budget. Security took a back seat to driving the organization forward. CISOs stuck in the position may lack the power or resources needed to truly get a handle on security threats.

A New Role for the CISO

As has been said repeatedly, security is no longer an IT problem — assuming it ever was. For 2016 and beyond, board directors and top leadership need a CISO who is a true partner. For the CISO, this means:

Balancing Risks and the Business

CISOs must be cyber risk leaders. Or, should the organization have a chief risk officer (CRO), they can strongly align themselves with the CRO.

A chief information security officer also needs to be a business-focused leader who excels at anticipating, scoping, evaluating and properly translating cyber risks for the rest of the leadership to participate in. As the IBM “Securing the C-Suite” report pointed out, the most successful organizations are those in which there is a high degree of collaboration within the C-suite.

Furthermore, CISOs and CIOs need to pay special attention to including the rest of the CXOs in deliberations and decisions regarding cyber risks. CISOs should partner with CFOs, CHROs and CMOs to ensure there are no dark corners when it comes to risks in the organization.

Aligning With the C-Suite

Among other key recommendations from the “Securing the C-Suite” report is that CISOs should be empowered “with the mission of managing information security risk across the enterprise and leading the initiative among the C-suite.”

This should encourage them to “elevate and regularly discuss cybersecurity at C-suite and board meetings, and engage risk, finance, marketing, human resources” and other stakeholders. This implies that the CISO role is correctly positioned to have the proper level of visibility and interactions across the organization. The most effective CISOs will also possess leadership qualities on par with their CXO peers.

Moving Toward Cyber Resilience

One of the primary tasks of CISOs should be helping the organization improve its handling of cyber risks and moving toward cyber resilience. In addition, the reporting of cyber risks should tend toward a continuous capability (i.e., what’s the cyber risk today) instead of a snapshotting capability (i.e., what was it at a given point in time). The organization should not wait for the next quarterly meeting to generate a snapshot of its cyber risk today.

As part of this process, which is one of three key areas of concern for 2016, “organizations should assess the extent to which their security capabilities are maturing, evaluate whether cyber risks are integrated within the larger enterprise risk management system and continually examine their organization’s ability to be resilient when it comes to the cyber realm.”

Cybersecurity risks can impact any and all areas of the business at lightning speeds. The stakes are high — definitely high enough for boards and leadership to ask themselves whether the CISO who got them there is still the best person to lead the organization forward tomorrow.

More from Risk Management

New Attack Targets Online Customer Service Channels

An unknown attacker group is targeting customer service agents at gambling and gaming companies with a new malware effort. Known as IceBreaker, the code is capable of stealing passwords and cookies, exfiltrating files, taking screenshots and running custom VBS scripts. While these are fairly standard functions, what sets IceBreaker apart is its infection vector. Malicious actors are leveraging the helpful nature of customer service agents to deliver their payload and drive the infection process. Here’s a look at how IceBreaker…

Cybersecurity 101: What is Attack Surface Management?

There were over 4,100 publicly disclosed data breaches in 2022, exposing about 22 billion records. Criminals can use stolen data for identity theft, financial fraud or to launch ransomware attacks. While these threats loom large on the horizon, attack surface management (ASM) seeks to combat them. ASM is a cybersecurity approach that continuously monitors an organization’s IT infrastructure to identify and remediate potential points of attack. Here’s how it can give your organization an edge. Understanding Attack Surface Management Here…

Six Ways to Secure Your Organization on a Smaller Budget

My LinkedIn feed has been filled with connections announcing they have been laid off and are looking for work. While it seems that no industry has been spared from uncertainty, my feed suggests tech has been hit the hardest. Headlines confirm my anecdotal experience. Many companies must now protect their systems from more sophisticated threats with fewer resources — both human and technical. Cobalt’s 2022 The State of Pentesting Report found that 90% of short-staffed teams are struggling to monitor…

Container Drift: Where Age isn’t Just a Number

Container orchestration frameworks like Kubernetes have brought about untold technological advances over the past decade. However, they have also enabled new attack vectors for bad actors to leverage. Before safely deploying an application, you must answer the following questions: How long should a container live? Does the container need to write any files during runtime? Determining the container’s lifetime and the context in which it runs is critical, especially when hosting an internet-facing service. What is Container Drift? When deploying…