May 20, 2016 By Christophe Veltsos 3 min read

As boards and top executives come to terms with their responsibilities regarding cyber risks, attention is increasingly being directed at the leadership qualities of chief information security officers (CISOs).

To get a handle on cyber risks, board directors and executive management have to rely on CISOs to evaluate, quantify and communicate — perhaps even translate — the various cyberthreats into tangible figures for management to act on.

About the Outdated Roles

Yet the CISO who has gotten the organization to where it is today may not be the appropriate leader to help steer it through the challenges of 2016 and beyond. Here are five characterizations of CISOs that could be wrong for the organization from a cybersecurity risk perspective.

The Technologist

Picture a CISO who is stuck mainly looking for and securing IT risks, primarily through technical controls. This can be due to the CISO’s own limited understanding of the nature of cyber risks or the refusal by leadership to grasp the broad implications of today’s cyberthreats.

The Low-Level Manager

Even today, there are CISOs who do not have the levels of visibility, support and interactions required to understand and communicate the organization’s cyber risks to the board.

The Yearly Visitor

Many organizations have at last added cyber risks to their agenda, albeit on a yearly or, at best, quarterly basis. When the CISO is given 10 or 20 minutes once per quarter to present the organization’s cyber posture, the quality of interactions is unlikely to be sufficient to truly evaluate, direct or monitor the organization’s cyber risks.

The Scarecrow

Only 10 years ago, business managers could argue that security wasn’t needed at product launch and instead would be addressed with the next update. Today, security has veto power, and this power may have grown to terrifying proportions: If innovations are slow or altogether stopped, it could be a sign that security gets in the way.

The Subordinate of the CIO

For decades, security was relegated to the IT function, and for those organizations advanced enough to have CISOs, the position often reported up to the CIO role. As such, the security budget — with all its implications on the range of activities possible within the organization — was always a fraction of the IT budget. Security took a back seat to driving the organization forward. CISOs stuck in the position may lack the power or resources needed to truly get a handle on security threats.

A New Role for the CISO

As has been said repeatedly, security is no longer an IT problem — assuming it ever was. For 2016 and beyond, board directors and top leadership need a CISO who is a true partner. For the CISO, this means:

Balancing Risks and the Business

CISOs must be cyber risk leaders. Or, should the organization have a chief risk officer (CRO), they can strongly align themselves with the CRO.

A chief information security officer also needs to be a business-focused leader who excels at anticipating, scoping, evaluating and properly translating cyber risks for the rest of the leadership to participate in. As the IBM “Securing the C-Suite” report pointed out, the most successful organizations are those in which there is a high degree of collaboration within the C-suite.

Furthermore, CISOs and CIOs need to pay special attention to including the rest of the CXOs in deliberations and decisions regarding cyber risks. CISOs should partner with CFOs, CHROs and CMOs to ensure there are no dark corners when it comes to risks in the organization.

Aligning With the C-Suite

Among other key recommendations from the “Securing the C-Suite” report is that CISOs should be empowered “with the mission of managing information security risk across the enterprise and leading the initiative among the C-suite.”

This should encourage them to “elevate and regularly discuss cybersecurity at C-suite and board meetings, and engage risk, finance, marketing, human resources” and other stakeholders. This implies that the CISO role is correctly positioned to have the proper level of visibility and interactions across the organization. The most effective CISOs will also possess leadership qualities on par with their CXO peers.

Moving Toward Cyber Resilience

One of the primary tasks of CISOs should be helping the organization improve its handling of cyber risks and moving toward cyber resilience. In addition, the reporting of cyber risks should tend toward a continuous capability (i.e., what’s the cyber risk today) instead of a snapshotting capability (i.e., what was it at a given point in time). The organization should not wait for the next quarterly meeting to generate a snapshot of its cyber risk today.

As part of this process, which is one of three key areas of concern for 2016, “organizations should assess the extent to which their security capabilities are maturing, evaluate whether cyber risks are integrated within the larger enterprise risk management system and continually examine their organization’s ability to be resilient when it comes to the cyber realm.”

Cybersecurity risks can impact any and all areas of the business at lightning speeds. The stakes are high — definitely high enough for boards and leadership to ask themselves whether the CISO who got them there is still the best person to lead the organization forward tomorrow.

More from Risk Management

Back to basics: Better security in the AI era

4 min read - The rise of artificial intelligence (AI), large language models (LLM) and IoT solutions has created a new security landscape. From generative AI tools that can be taught to create malicious code to the exploitation of connected devices as a way for attackers to move laterally across networks, enterprise IT teams find themselves constantly running to catch up. According to the Google Cloud Cybersecurity Forecast 2024 report, companies should anticipate a surge in attacks powered by generative AI tools and LLMs…

Mapping attacks on generative AI to business impact

5 min read - In recent months, we’ve seen government and business leaders put an increased focus on securing AI models. If generative AI is the next big platform to transform the services and functions on which society as a whole depends, ensuring that technology is trusted and secure must be businesses’ top priority. While generative AI adoption is in its nascent stages, we must establish effective strategies to secure it from the onset. The IBM Institute for Business Value found that despite 64%…

Ermac malware: The other side of the code

6 min read - When the Cerberus code was leaked in late 2020, IBM Trusteer researchers projected that a new Cerberus mutation was just a matter of time. Multiple actors used the leaked Cerberus code but without significant changes to the malware. However, the MalwareHunterTeam discovered a new variant of Cerberus — known as Ermac (also known as Hook) — in late September of 2022.To better understand the new version of Cerberus, we can attempt to shed light on the behind-the-scenes operations of the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today