February 22, 2021 By Sue Poremba 3 min read

Ever since the role of the chief information security officer (CISO) was first created in 1994, the position has been treated like the pesky youngest sibling in the C-suite family. In the office, the CISO wasn’t given the same voice as the chief information officer (CIO) or other executives. During meetings of the board of directors, the CISO often wasn’t given a place at the table, and digital defense wasn’t treated as highly important for the business. 

Now that CISOs have greater access, directors and other C-suite members are more willing to see that their domain isn’t a separate entity but needs to be part of overall business plans. So, how has this change come about? How did the CISO come to gain a seat at the table with the rest of the C-suite? And, what do they need to do in order to succeed there?

CISO Brought to the Fore

Nowadays, entities across industry verticals have suffered major data breaches or been the victim of high-profile ransomware attacks. Because of this, cyber defense has taken on a new urgency. At the same time, there has been a slow shift of the duties of the CISO. Twenty years ago, the typical CISO was someone who had good tech skills first (often coming from an IT role) and could understand basic defensive tools. 

“Now, a good CISO will have regular access to the board and be known around their organization for their advocacy of infosec, good leadership and their knowledge of how tech can be used to help the business,” Mark Ward, senior research analyst at the Information Security Forum, says in an email interview.

What Makes the CISO Unique in the C-Suite?

All of these acronyms for different C-suite titles can be confusing. Most people know the terms ‘CEO’ and ‘chief financial officer,’ and their job descriptions are consistent. There is no question about who is in charge of finances or overall leadership. But when you get to tech leadership, the titles become a little murkier.

In addition to CIO and CISO, businesses may have chief technology officers, chief security officers and chief data officers. There is overlap, and not all companies will have each of these positions.

The CIO is in charge of IT, while the CSO handles all security across the board, physical and digital. The CISO handles data, systems and network security. Originally this position was created to handle cyberattacks against a financial entity, but today, the role of the CISO is much more complex. The CISO’s responsibilities include leading the team handling real-time threats and mitigation of attacks, overseeing the security architecture and the protection of the corporate infrastructure, and implementing security policies and management designed to foresee and address risk. These can include security awareness training and creating repair protocols. 

New Soft Skills

Where it started out as a tech-centric position, the CISO role has begun to change. Now, soft skills are as important as technical skills. According to research from Information Security Forum, today’s CISO needs to be a good manager and have people skills, as well as seeing how cyber risks fit into business overall. They need to understand the goals of the wider business and how those intersect with security. 

“It is a position that has become defined by personality, history, practice and the demands of individual organizations, rather than through clearly defined policies and procedures,” the research notes. “Next-generation CISOs will need to respond to these forces and take a keen interest in a wide variety of topics to stay at the top of their game.”

Many CISOs will have an engineering or IT background, which is important for the architecture and infrastructure side of the job, but good defense is also about building partnerships. Practicing good security hygiene doesn’t come naturally to anyone, so it is the CISO’s job to be a teacher and mentor. They should be able to talk openly with everyone from the company president to the front desk receptionist and everyone along the supply chain. A standoffish CISO will discourage employees from coming forward to report a mistake (like clicking on a link) that could lead to a major cyber incident. Also, the CISO must build a solid knowledge base of every step in the business structure. The systems they oversee should run in tandem with other parts of the business, not slow down production.

From Executive to the Board Room

In the past, most members of the C-suite didn’t understand what the CISO’s role was. CISOs often had to report to other leaders. The CIO’s job included giving cybersecurity reports to the board of directors, if the topic was even on the agenda. What changed is the amount of digital tools in the workplace and the rise of digital risks. 

This knowledge comes from seeing the actual damage done by digital attacks. However, truly effective messaging across the C-suite requires another one of the CISO soft skills — good communication. CISOs must research defensive systems that also balance return on investment and other business goals. They must explain what they see back to the board in order to get proper funding and support.

The role of the CISO is evolving, just as cyber threats evolve. The importance of digital defense has finally reached the board table, and it is up to tomorrow’s CISO to make the most of the change.

More from CISO

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today