In spite of being widely used, the role of the chief information security officer (CISO) has only had a few decades of existence and is still evolving. Research from the Security Transformation Research Foundation, based on the semantic analysis of the content of 17 annual global security reports from EY between 2002 and 2019, points toward the role having already gone through two clear phases in its evolution as it heads into its third decade of existence.
The first decade of the century was essentially a “Compliance Decade.” Security was seen as a balancing act among compliance requirements, risk appetite and costs; the CISO was mostly a risk manager. The past decade has been effectively a “Realization Decade,” during which cybersecurity started to be seen as a necessary barrier against real threats in a context of increasing cyberattacks and data breaches (in number and scale), massive technological change and the aftermath of a historic financial crisis.
As a matter of fact, the past decade has been particularly complex for CISOs. Not only has the non-stop avalanche of cyberattacks prevented them from getting out of firefighting mode, but their role has also been challenged—and, in many cases, marginalized—at a number of levels.
The emergence of cloud technologies, energizing the digital transformation urgency in many industries, has changed the roles of the CIO and the CISO. In many firms, the CIO now has to share powers with chief data or digital officers and, at the same time, deal with an increasing number of powerful service providers, enduring legacy technology and technical debt and increased pressure from business units looking to gain a digital competitive advantage, something the Covid-19 crisis has accentuated even further.
Over time, the historical role of the CISO, if it remains attached to the historical role of the CIO, runs the risk of being marginalized with it, becoming the guardian of an increasingly empty shell surrounded by an increasingly complex supply chain.
At the same time, large scale cyberattacks have put cyber risk firmly on the Board’s agenda, but information security, the traditional perimeter of the CISO, is often seen as only one aspect of a much bigger problem: The Board wants to see a fuller picture, encompassing the whole capability of the enterprise to sustain a cyberattack and recover from it. In larger firms, this “resilience” concept tends to lead to the emergence of broader enterprise security functions, which push down the historical role of the CISO.
This is deepened by the importance privacy regulations are also playing in shaping up the Board agenda around security in Europe with the GDPR and gradually through equivalent legislation throughout the U.S. and the world.
GDPR, in particular, has been a big topic in many firms over the past few years. Tens of millions have been spent toward “compliance” in larger firms, and a good proportion of that went toward security-related measures. However, many CISOs have failed to capitalize politically on the topic, which has been treated (broadly) as a legal issue. The data protection officer roles and other chief privacy officer functions, which are emerging in relation to the implementation of the GDPR and other legislation, are likely to create an additional corporate layer “breathing down the neck” of many CISOs and altering their historical ways of working.
As the role heads into its third decade with a firmer transformative mandate to bring the cyberattacks epidemic under control, business leaders must take a different look at it. It is time to stop searching for non-existent profiles, expecting the CISO to be credible one day in front of the Board, the next in front of hackers, the third in front of developers and all the way across the depth and breadth of the enterprise and its supply chain.
Those profiles don’t exist anymore, given the transversal complexity cybersecurity has developed over the past two decades. The role of the CISO has to be one of a leader, structuring, organizing, delegating and orchestrating work across their team and across the firm, in addition to across the multiple third parties involved in delivering or supporting the business. In essence, knowing what to do is important, and cybersecurity good practice overall still protects from many threats and ensures a degree of compliance with most regulations.
But by focusing excessively on purely technical approaches to cybersecurity challenges, large organizations have failed to protect themselves effectively and efficiently, in spite of massive investments in that space over the past two decades. This is essentially due to the cross-silo complexity of the problem, which would require a mid- to long-term focus to be properly addressed, and comes in conflict with endemic corporate short-termism, leading to execution failure.
Increasingly, in the face of non-stop cyberattacks in large firms, the key priority around cybersecurity is now to get things done. The role of the CISO is entering its third decade of existence, and it is likely to be an “Execution Decade” with cybersecurity becoming an imperative as the “when-not-if” paradigm around cyberattacks takes root in the boardroom.
But large organizations have to face their own inherent complexities and accept that the time has come to look differently at the role of the CISO in that context: This is no longer about throwing money at alleged tech solutions. The role of the CISO is becoming a true leadership role and what is required to get things moving is political acumen, managerial experience and personal gravitas over raw technology skills.