As boards and top executives come to terms with their responsibilities regarding cyber risks, attention is increasingly being directed at the leadership qualities of chief information security officers (CISOs).
To get a handle on cyber risks, board directors and executive management have to rely on CISOs to evaluate, quantify and communicate — perhaps even translate — the various cyberthreats into tangible figures for management to act on.
About the Outdated Roles
Yet the CISO who has gotten the organization to where it is today may not be the appropriate leader to help steer it through the challenges of 2016 and beyond. Here are five characterizations of CISOs that could be wrong for the organization from a cybersecurity risk perspective.
Picture a CISO who is stuck mainly looking for and securing IT risks, primarily through technical controls. This can be due to the CISO’s own limited understanding of the nature of cyber risks or the refusal by leadership to grasp the broad implications of today’s cyberthreats.
The Low-Level Manager
Even today, there are CISOs who do not have the levels of visibility, support and interactions required to understand and communicate the organization’s cyber risks to the board.
The Yearly Visitor
Many organizations have at last added cyber risks to their agenda, albeit on a yearly or, at best, quarterly basis. When the CISO is given 10 or 20 minutes once per quarter to present the organization’s cyber posture, the quality of interactions is unlikely to be sufficient to truly evaluate, direct or monitor the organization’s cyber risks.
Only 10 years ago, business managers could argue that security wasn’t needed at product launch and instead would be addressed with the next update. Today, security has veto power, and this power may have grown to terrifying proportions: If innovations are slow or altogether stopped, it could be a sign that security gets in the way.
The Subordinate of the CIO
For decades, security was relegated to the IT function, and for those organizations advanced enough to have CISOs, the position often reported up to the CIO role. As such, the security budget — with all its implications on the range of activities possible within the organization — was always a fraction of the IT budget. Security took a back seat to driving the organization forward. CISOs stuck in the position may lack the power or resources needed to truly get a handle on security threats.
A New Role for the CISO
As has been said repeatedly, security is no longer an IT problem — assuming it ever was. For 2016 and beyond, board directors and top leadership need a CISO who is a true partner. For the CISO, this means:
Balancing Risks and the Business
CISOs must be cyber risk leaders. Or, should the organization have a chief risk officer (CRO), they can strongly align themselves with the CRO.
A chief information security officer also needs to be a business-focused leader who excels at anticipating, scoping, evaluating and properly translating cyber risks for the rest of the leadership to participate in. As the IBM “Securing the C-Suite” report pointed out, the most successful organizations are those in which there is a high degree of collaboration within the C-suite.
Furthermore, CISOs and CIOs need to pay special attention to including the rest of the CXOs in deliberations and decisions regarding cyber risks. CISOs should partner with CFOs, CHROs and CMOs to ensure there are no dark corners when it comes to risks in the organization.
Aligning With the C-Suite
Among other key recommendations from the “Securing the C-Suite” report is that CISOs should be empowered “with the mission of managing information security risk across the enterprise and leading the initiative among the C-suite.”
This should encourage them to “elevate and regularly discuss cybersecurity at C-suite and board meetings, and engage risk, finance, marketing, human resources” and other stakeholders. This implies that the CISO role is correctly positioned to have the proper level of visibility and interactions across the organization. The most effective CISOs will also possess leadership qualities on par with their CXO peers.
Moving Toward Cyber Resilience
One of the primary tasks of CISOs should be helping the organization improve its handling of cyber risks and moving toward cyber resilience. In addition, the reporting of cyber risks should tend toward a continuous capability (i.e., what’s the cyber risk today) instead of a snapshotting capability (i.e., what was it at a given point in time). The organization should not wait for the next quarterly meeting to generate a snapshot of its cyber risk today.
As part of this process, which is one of three key areas of concern for 2016, “organizations should assess the extent to which their security capabilities are maturing, evaluate whether cyber risks are integrated within the larger enterprise risk management system and continually examine their organization’s ability to be resilient when it comes to the cyber realm.”
Cybersecurity risks can impact any and all areas of the business at lightning speeds. The stakes are high — definitely high enough for boards and leadership to ask themselves whether the CISO who got them there is still the best person to lead the organization forward tomorrow.
InfoSec, Risk, and Privacy Strategist - Minnesota State University, Mankato
Chris Veltsos is a professor in the Department of Computer Information Science at Minnesota State University, Mankato where he regularly teaches Information ...