As hacking attacks escalate, demanding media attention and costing businesses hundreds of millions of dollars, organizations are fighting back. Above all, they are learning to treat information security not just as a technical problem, but an ongoing challenge that extends across the enterprise.

Chief information security officers (CISOs) are emerging as the crucial players in the evolving understanding of security. Indeed, when the history of information security in the 21st century is written, the current era may well be recorded as the decade of the CISO.

The CISO and Growing External Threats

The changing role of information security in the enterprise is being driven by business leaders’ recognition of a rapidly evolving threat.

For the past three years, IBM has published its annual Chief Information Security Officer Assessment, which tracks CISOs’ perceptions of threats and how their organizations are responding. The most recent survey shows how external threats (hacking attacks) have pulled away and taken the lead from other security concerns.

The most recent high-profile attack on Sony Pictures Entertainment exemplifies the scope of this external threat. Risks are not confined to the most obvious potential victims, such as retailers, who must protect millions of customer account records. Any and all intellectual property is at risk of being compromised. The attackers may be motivated by financial gain, including extortion by threat of data destruction. Their motives can also extend to political causes or be sponsored by state intelligence agencies.

Security as a Policy Issue

Such ruthless and sophisticated attackers pose an existential threat to the enterprise. In response, as Brian Engle and Renee Guttman report at CSO Online, CISOs are being asked to provide technical knowledge and policy guidance. According to the National Association for Corporate Directors, “Cybersecurity is an enterprise-wide risk management issue, not just an IT issue.”

Engle and Guttman identify three key issues that enterprise leaders should consider in their security planning. They need to consider CISO access to top decision-makers and the overall governance of the security policy. They must also focus on training the next generation of security leaders, with emphasis on engaging board members and other key stakeholders.

Finally, while security breaches are driving headlines, enterprises cannot let headlines drive their security policies. Security must be proactive, not reactive to the most recent crisis.

Information security threats will continue to evolve, and the role of the CISO will evolve along with them. By bringing the CISO into the strategic discussion, enterprise leaders can keep their security framework pointing forward.

Download the IBM Report: Cybersecurity perspectives from the boardroom and C-suite

More from CISO

Poor Communication During a Data Breach Can Cost You — Here’s How to Avoid It

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

5 min read

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

Do You Really Need a CISO?

2 min read - Cybersecurity has never been more challenging or vital. Every organization needs strong leadership on cybersecurity policy, procurement and execution — such as a CISO, or chief information security officer. A CISO is a senior executive in charge of an organization’s information, cyber and technology security. CISOs need a complete understanding of cybersecurity as well as the business, the board, the C-suite and how to speak in the language of senior leadership. It’s a changing role in a changing world. But…

2 min read

What “Beginner” Skills do Security Leaders Need to Refresh?

4 min read - The chief information security officer (CISO) was once a highly technical role primarily focused on security. But now, the role is evolving. Modern security leaders must work across divisions to secure technology and help meet business objectives. To stay relevant, the CISO must have a broad range of skills to maintain adequate security and collaborate with teams of varying technical expertise. Learning is essential to simply keep pace in security. In a CISO Series podcast, Skillsoft CISO Okey Obudulu recently said,…

4 min read