May 23, 2014 By Martin Borrett 2 min read

The CISO in 2014: Security Strategies for Building Confidence and Trust Amidst Uncertainty

I recently hosted a fascinating panel discussion with three of Europe’s top Chief Information Security Officers (CISOs). I was joined on a live webinar by Norway-based EVRY CISO Kaare Bjørn Martinussen; Paul Hyland, CISO for the Ireland-based Ardagh Group; and Carles Sole Pascual, information security director of Spain’s CaixaBank. This interactive discussion focused on today’s hottest security topics and what was top of mind with these CISOs in 2014. It was interesting for me — and I hope for our audience — to hear their unique insights about the specific challenges and the innovative ways their organizations are approaching today’s evolving threats.

The Changing Role of Today’s CISO

IBM has been doing some interesting work in recent years looking at the evolving role of the chief information security officer. We started that work in early 2012 when we published our “Feeling the Pressure” paper, in which information security leaders shared insights into how they were reinventing the role in the face of accelerating industry change.

We followed this work with our 2012 CISO Assessment, where we looked in detail at more than 130 CISOs from around the world to gain deeper insight into this evolving role. In 2013, we continued this work with a further in-depth assessment interviewing senior security leaders before publishing this latest paper, “A New Standard for Security Leaders.” The report focused on three areas: Business practices, technology maturity and measurement capabilities. Three strong recommendations emerged:

  • Actively build trust at the C-level while broadly communicating an explicit security strategy.
  • Invest in mobile security and advanced technology to directly support the business.
  • Focus on the overall economic impact of risk.

Three Topics That Are Top of Mind for Chief Information Security Officers

With this backdrop, our expert panel discussed a number of key topics: The threat landscape, the role of the CISO, compliance and regulation and investments and priorities for 2014. What really stood out is how fast the landscape is changing, and as I reflect on the discussion, I would posit that there are three main take aways for every CISO:

  1. Organizations are being forced to plan and review far more frequently, from quarterly to monthly. There was far more consistent communication up the chain by the panelists — they don’t just sit in the background. They must, and regularly do, talk to the business; they are “in their face,” as it were. This better engagement with the business leads to budget buy-in and better business alignment. It is important in security discussions to be open but also correct. Accuracy is important; stay factual, otherwise credibility suffers.
  2. From a technology standpoint, there was considerable discussion about the need for improved forensics. However, there is still much work to be done to understand what kind of forensics and data are needed. Now and in the future, what do we need to collect on a daily basis?
  3. One other particularly interesting insight was the move by one of the panelists from a 27001/2 stance towards a PCI mindset. It would be interesting to see whether other organizations are thinking the same way and get deeper into the benefits of such an approach.

These insights fuel the need for further discussion and debate, and I look forward to the next in our series of CISO webinars next quarter. On-demand playback for the webinar is live and can be accessed here.

Insights from the 2013 IBM Chief Information Security Officer Assessment

More from CISO

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today