Modern CISOs have found their role shifting away from that of the technical security expert to someone who speaks a business language, framing up their security program in terms of enabling positive business outcomes.
With many technical security functions now shared between IT, development, and security operations teams, the CISO role has become more of a business leader than the traditional IT security leader of the past.
This means translating their overall security priorities and initiatives into risk terms that executives can understand and support.
High-performing CISOs are taking strategic business objectives and efforts into account and adapting their security programs to deliver results that multiply business velocity and revenue, instead of hindering the business by basing a security program on threats and vulnerabilities alone.
More Influence, Less Hammer
This means CISOs are also having to become more business-savvy, helping promote a security culture through shared values, trust, and accountability, often more through influencing skills than with the security and compliance hammer.
“We’re seeing the CISO role being elevated out from underneath the CIO’s IT umbrella and becoming a direct report to the CEO,” explains John Hellickson, field CISO executive advisor for Coalfire. “This means they are expected to bring a high degree of business acumen in how they represent risk to their business peers and stakeholders.”
He said the need for establishing business-aligned cybersecurity programs that go beyond typical control frameworks is now table stakes — the ability to demonstrate positive business outcomes and ROI of security risk management activities and investments will continue to be expected in the years to come.
“CISOs who are integrated into strategic business planning and participating in the growth and profit of the organization are those who will set the example for all others in the role,” he says.
Striking a Balance in CISO Role
From Rapid7 CSO Iftach Ian Amit’s perspective, the balance is akin to the one a CFO must strike — making sure they are considering what the business wants to do and reconciling that with what the specific field (finance) wants to do.
“Finding alignments between these and focusing on areas where there is a clear alignment is the key to maximizing the efficacy of both the business results as well as the narrower field results,” he says. “One can have great finances, but the business will be failing. The same goes for security — one can have a great security posture, but the business will hurt and won’t be able to accomplish its goals.”
He predicted CISOs would continue to move to the business center as more risk and operations elements become more organically connected to security.
“From legal, through HR, finance, procurement, and of course all aspects of IT and development, CISOs are finding themselves traversing all those functions and having to effectively enable these to operate more freely in order to stay competitive,” Amit says.
Threat Landscape Broad and Challenging
Hellickson points out that with the security threat landscape becoming so broad and challenging, CISOs generally can’t keep up with the necessary staffing and budget required to tackle these threats alone.
“Third-party security partners and service providers are generally trying to tackle specific cybersecurity challenges businesses face,” he says. “They can help a CISO solve specific challenges or even leverage their industry-wide experience to help the CISO find a solution that has worked in similar industries.”
Amit agrees, noting that today’s security landscape of managed services and products enables companies to run a lean security practice by offsetting a lot of the menial work security engineers used to perform.
“Having said that, the needs of one business will differ from another, and as such, security leaders need to have a collaborative relationship with their vendors in order to have an impact on the product and service roadmap,” he says
Tim Silverline, vice president of security at Gluware, said if CISOs can frame their security initiatives by the incremental value they can bring to the company, they will achieve better success than if the focus of their message is specific to risk mitigation.
“The events of the last few years and the increased media attention to security incidents have delivered enough fear for anyone paying attention,” he said. “The CISO doesn’t need to reinforce the fear but should instead focus on improving security posture in measurable ways likely to attract more business and increase the metrics the C-suite cares about.”
Breadth of CISO Responsibility Expanding
Silverline also admits the breadth of responsibility for CISOs continues to expand, and along with that, the required skill set to be successful continues to grow.
Communicating effectively with the board, maintaining a deep understanding of the evolving threat landscape, keeping up with the rapidly changing compliance regulations, and tracking the seemingly endless vulnerability disclosures are just a few of the tasks CISOs need to manage effectively to be successful.
“Building a strategy to handle all of these responsibilities in a manner that works well and accounts for the resources and staff available to them is probably the most essential skill for CISOs to develop as they grow in their career,” he says.