The evolution of the CISO role

In this subsection from our CISO Survival Guide, our mystery CISO covers the key topics surrounding the evolution of the role from boardroom engagement through to the build or buy debate. We tackle some of the key questions facing CISOs today in this rapidly changing market where risk is seemingly everywhere, and prioritization is essential.

Skip ahead to:

1. Cyber security in the boardroom
2. The evolving demands of the CISO 
3. The business case for cyber security investment
4. How to prioritize potential projects when risk is everywhere
5. Understanding the business and translating risk issues effectively
6. Perception vs. reality: who owns the risk between the CISO and the business?

There’s a lot of talk about cyber security moving up the board’s whiteboard of priorities. How much of that is hype vs reality?

I would certainly agree that cyber is genuinely moving up the board’s agenda – particularly in enterprise-level organizations. I put this more down to customer demand than anything else. The customer is becoming far more knowledgeable about security. They know what they want from a partner or supplier and know how to validate what they are getting. In more and more sectors, security is a prerequisite to the offering and is a feature customers won’t take lightly.

At a macro level, regulation is also driving a focus at board level, coupled with a desire to protect against the reputational and financial damage of becoming front-page news. The net result has been risk and audit committees getting more face time and attention at board level over the last 12 months.

How have the demands placed on the CISO evolved over the last 18 months?

Growing expectation and demand is something that needs to be managed by the CISO. Security is all too often seen as a firefighting capability, and that’s not good enough in the corporate world. It’s become essential to operate in a more controlled fashion. The CISO needs to be accountable for formally documenting the services the security function offers to both the business and its customers. We are talking about ‘demands’ here, but there is an association between demand and the capabilities of the team. If the security team is ineffective, the business will go off and do things themselves, exacerbating the challenge. We talk a lot about risk in our line of work, but the opposite of risk is opportunity. Every business is looking to grow and deliver their service more effectively.

There is, quite rightly, a growing expectation for the CISO to define what we do as a function to help the organization grow, whether that’s delivering services better with more control or simply stopping things from failing so frequently. I’d also say that our remit is about more than just the information security side of things. The CISO needs to understand business continuity, commercial management, supplier management, program management, and service delivery management. Everything we do should be targeted at driving the business objectives, and as a community, we need to get far better at expressing that.

How would you go about making the business case for further investment in cyber security initiatives?

Building a business case for investment in cyber security is pretty much the same as any other business case. You need to understand who your supporters are and what motivates them. You need to be clear about what the benefits are actually going to be. You need to be clear about how the initiative will be funded, is it a capital project, for example? Could you sell the benefit to the customer? None of this is likely to be new information, but bringing your sponsor along the journey with you is key.

Sometimes it’s about benchmarking and ensuring everyone understands where you are today. There are plenty of reference points to utilize, from internal audit reports to external maturity assessments. To get that investment, you need to paint a very clear picture of what the organization looks like today and where you want to be.

Would you say that motivation to invest in cyber security initiatives is all about ‘sticks,’ or is there a lot more ‘carrot’ in there too?

I am going to swerve the question slightly and say it’s all about good financial planning. Investment in cyber security is about understanding who you are, who your customers are, and assessing each other’s maturity levels. Then it’s a case of working out what the delta is and how you bridge that gap. There’s always going to be carrots, and there’s always going to be sticks, and the two aren’t mutually exclusive.

What advice would you give to a CISO who is literally overwhelmed with potential projects? When risk is everywhere, how do you prioritize?

My advice would be to agree on a clearly defined program of work with the business as quickly as possible. There are a few steps you should look at taking to achieve this; some you can do yourself, and others will rely on your internal and external stakeholders. Firstly, on the more technical side, you need to understand where the vulnerabilities are. You need to actively review events as they happen on the network. You also need to look at how you are managing incidents. For me, solid preparation is 90% of the battle here. At some point something will happen and everybody needs to know what their roles and responsibilities are. How are you going to run that incident? Which 3rd parties will you be calling upon? Then rehearse, rehearse, rehearse.

Finally, on the technical side, you need to do an impact analysis on those scenarios, which will undoubtedly help you with the prioritization challenge. It’s important to hear lots of voices. Don’t just plow on with your own agenda without considering the issues of the stakeholders that make money for the business. In defining your work program, ensure you don’t include too many white elephants. Look for quick and meaningful wins like a repeatable, continuous vulnerability management capability.

How good a job are security teams doing in terms of understanding the business and translating risk issues effectively?

As a community, we absolutely have to get better. I think there is still an element of doing security for the sake of security; risk assessment for the sake of risk assessment. But that counts for nothing if it’s not adding value to the business's proposition. I always want to be in a place where we target everything we do against the strategy of the business or the customer. To make that step change, we need to inspire our teams to think outside the ‘security 101’ textbook. I am also a big believer that we should be placing a heavy emphasis on development.

All roles should have a clear terms of reference that include a level of stakeholder management. Skills are important, but given the shortage that exists, it’s rare that you will find a candidate that has every attribute you are looking for. In such cases, it’s often a good idea to develop from within where you’ll find people who know the business and the stakeholders – that’s a great starting point.

Do you think there is a difference in terms of perception and reality when it comes to who really owns the risk between the CISO and the business?

I think 10 years ago, the perception might have been that security owned a lot more of the risk. That has probably changed somewhat as security functions get better at defining and revising their risk management processes. This is important as unless people in the business understand their roles and responsibilities, we ultimately can’t manage that risk for them. I like to think that you will have risk owners who ultimately sit within the business and risk managers who sit in security.

The issue of MSSPs and whether to insource or outsource is a really hot topic. What’s your take on it?

Whenever you consider whether to build or buy, you need to think about what’s right for the organization. I often find looking at external options and moving forward from there helpful. To my mind, the key to the build vs. buy debate is understanding which requirements are a commodity and which are truly bespoke to your organization.

1st line security services might be a relevant example. You might not be trying to reinvent the wheel here. It’s like when you go to buy a car, do you look at the proven manufacturers first before you build a custom one from scratch? I’d be tempted to.

More on cyber security

• Read the full CISO Survival Guide here.
• Get the latest talent and technology trends impacting security in 2023 from Cyber Security in Focus 2023.
• Want to discuss the specific hiring challenges associated with building effective, successful security teams? Find out more about our cyber security recruitment team.