Chief information security officers (CISOs) are being asked to not only protect the organization from threats, but also to help the business achieve its goals by leveraging technology and data in a secure way.
This shift in focus requires CISOs to have a better understanding of the business and to develop stronger communication and collaboration skills.
The CISO is already recognized for expertise in security program fundamentals, from infrastructure design and controls implementation to operations, threat detection and response.
Now a CISO must define a coherent business case for cybersecurity, which rationalizes investment in cybersecurity and demonstrates the measurable value of the program in terms that are recognizable to decision makers.
Developing and delivering on a cybersecurity business case also promotes strong collaboration, strategic planning, program oversight, and communication skills.
This means CISOs should also commit to becoming a credible intelligence resource with timely access to emerging trends and accepted standards of cybersecurity practice.
“In addition to technical and tactical competence, the business needs the CISO to become a trusted advisor on risk governance,” adds Mike Eisenberg, vice president of strategy, privacy and risk at Coalfire.
This includes establishing and communicating purposes and strategies, accountability structures, program performance disciplines, and stakeholder engagement.
He explains by aligning cybersecurity with business strategy -- objectives, imperatives, market analysis and resource planning -- the CISO is better positioned to consult with business leadership on risk analysis, process improvement, product/service innovation, and resource management.
Forming New Partnerships Across the Enterprise
Guillaume Ross, deputy CISO at JupiterOne, adds public company CISOs will need great relationships with general counsel and chief risk officers, while CISOs in tech startups will need great relationships with engineering leadership.
“With so much work being outsourced to vendors from cloud to managed services, vendor relationships will continue to become more important,” he says.
From his perspective, startups with more recent environments and fewer employees will look for security leadership that is more technically hands-on than what is usually seen in CISOs, while larger companies will look for CISOs that have significant business acumen.
“We will see more business-unit level security officers in organizations of a certain size, representing the needs of their own area of the business,” Ross predicts.
Stan Black, CISO for Delinea, agrees that CISOs are not just responsible for IT anymore.
“Now our responsibilities cut across the entire business,” he explains. “We are tied to customer supply chain risk, so we are revenue enabling. We work together with legal to identify and manage risk.”
With the use of third parties, the CISO's scope has expanded, which Black says is why CISOs are now seen sitting at the executive table, providing insights to the board, and providing value adds that help differentiate organizations from competitors.
“CISOs must understand the challenges and requirements of the customer and be an enabling partner to the entire go-to-market organization, partners, and the customers themselves,” he adds.
He says the best way to develop these skills is through experience, asking questions, listening to and learning from customers, providing actionable and valuable insights, and being a trusted and reliable resource.
A Focus on Managing Third-Party Relationships
Eisenberg agrees that CISOs should also prioritize working relationships with a portfolio of trusted third parties to advise, supplement and support essential program functions.
“As CISOs increase their leadership presence, focusing on managing horizontal relationships as well as managing upward will help build a support network with their peers in other functions, broadening their reach and sphere of influence,” he says.
More important than ever before are collaborative relationships with executive leadership (including board of directors and lines of business), risk, finance and marketing.
Black points out there have been a range of new security leadership roles that have come into the fold as the threats evolve.
“Data analytics is trying to keep up with the attacks, a constant challenge that requires automation to transcend human-speed analysis and provide clean data, and then risk rank that data to understand what ‘good’ is and how to best spend time on potential bad,” he explains.
In addition, extensive testing now must bring multiple team members together, including those who are not traditionally part of those processes, and do so in a way the inclusively gamifies testing so everyone involved can think like diverse hackers.
“Artificial intelligence and machine learning tools are being used by our adversaries, so that is another area where leaders must address multi-vector attacks by also using AI/ML to thwart their speed and effectiveness,” he adds.
CISO Role Evolving Along with Other Security Leaders
Darryl MacLeod, vCISO at LARES Consulting, says the most important relationships for a CISO to form include those with the board of directors, the CEO, and other C-level executives.
“CISOs should also work closely with legal and compliance teams to ensure that the organization is meeting its regulatory requirements,” he says. “Additionally, a CISO should also develop strong relationships with other security leaders in the organization, as well as with external partners such as vendors and industry groups.”
He points out other security leadership roles are also changing and include the chief security officer, and the chief privacy officer, with new roles emerging, including the chief data officer and the chief digital officer.
MacLeod says as the threat landscape evolves in 2023, the complexity and sophistication of threats will require CISOs to be more proactive in identifying and mitigating risks.
“The increasing importance of data privacy and regulatory compliance will require CISOs to have a better understanding of the legal and regulatory landscape and to be able to demonstrate compliance with relevant laws and regulations,” he says.
Eisenberg adds increased scrutiny of organizations’ spending for essential services will require the CISO to business rationalize strategic investments in cybersecurity to counter the ever-increasing complexity and velocity of cyber threats to business resilience.
“The influence of the CISO role is based on strong relationships, program discipline and effective messaging,” he says.
What to Read Next:
The Chief Trust Officer Role Can Be the Next Career Step for CISOs
CISOs Mark Data Proliferation as Growing Security Problem