The Evolution of the CISO on paper seems to be something that is quite straight forward to understand. In reality, looks don’t always appear to be what they seem, especially at the surface. Once you start to dig, pull, prye, and examine what is below, you will find much more than you bargained for. The real story is what lies beneath.
It is believed that the first person who claimed the title as a CISO was an individual who worked for Citigroup, his name is Steve Katz back in 1995.
As someone who previously worked in developing speaker bureaus and C-Level events he was always an executive that I wanted to meet, speak with, and learn from. What is interesting, is that this occurred some 20+ years ago. So, where are we now? Well, what I can tell you is that even today not every organization has a CISO. Why is this still the case? Am I the only one wondering why? As someone who is not a CISO and on the outside looking in, it is something that fascinates me as I’d like to know, but don’t have the answers for it.
I’d like to explore and attempt to tackle a few things in this article:
- The CISO of Yesteryear.
- The CISO of the Future.
- The Next Wave
Security is one of those very rare things that is universal. No matter the industry, role, responsibility, company, everyone is dealing with the same challenges, just to a varying degree.
Basic accountabilities include the creation and maintenance of the vision, strategy, and protection of the enterprise. No matter the number of employees, annual revenue, size, etc., any company can be a target for an attack. A CISO handles anything ranging from security architecture, risk management, GRC, IAM, BCP, security operations, physical security, cloud security, and several other areas involving Security Strategy. Duties may vary depending on the organization, but a CISO is always focused on protecting the Confidentiality, Integrity, and Availability (CIA) to include intellectual property of the company. It must be a singular dedicated role to succeed, not shared.
In a perfect world, every single company would have a CISO. Problem solved.
Well not really, maybe partially. The CISO must continuously evolve in order to remain an integral part of the leadership team. One of the scariest things that anyone in business can hear is, “Well, we have always done it this way.” As cyber threats continue to rapidly evolve, how are you going to prepare for impending attacks that are far more sophisticated than what were seen 3 years ago, 3 months ago, let alone 3 days ago? You can probably see where I’m going with this. One has to be able to minimize risk at all costs and maximize operational efficiencies that are dependent on the success of maturing their environment. If you don’t adapt, expect to become obsolete.
From a technical accumen, some of the strongest minds in IT are found in information security. What about their business accumen though? In the digital age and world of inner connectivity, communication and collaboration are critical for a CISO’s success. Speaking the language of the business is a term that has been tossed around for some time now. Even today and looking into the future it will continue to hold its weight in gold. It is by far one of the most important skill sets that a CISO must possess. If you are unable to qualify or quantify something to your board, management, or stakeholders then best of luck in getting the tools, resources, or money needed to effectively do your job.
In an article by Tech Target, Digital Management’s CISO, Rick Doten said, “The security guy really needs to understand the business risk, because a CISO’s job is not to protect IT, it’s to protect the business from the IT infrastructure” (Blevins, 2014). A CISO interacts directly with other members of the C-Suite. According to Engle, C.C. and Guttman, “when there is a data security breach, the CISO should have the authority to affect change on par with the CFO, CIO, and other key executives” (2014). CISO’s are responsible for keeping up with the constant changes in the threat landscape and how to protect the assets of the company.
In summary, claim your seat at the table. At the very least, make sure that there is a reporting dotted line into the boardroom. Be a change agent leader who’s role is more than just protecting assets, data, or intellectual property. Be a driver for innovation, growth, and strategy that impacts the bottom line. Security is not a cost center, but rather a revenue driver and having just an ounce of support will make all the difference.
The Wave of the Future:
All good things must come to an end. Yes, I’m talking about you. At some point once our shelf life has expired and we all move onto greener pastures a new wave of security professionals will be tasked in taking the reins.
In reality, security is a profession that needs help. We always hear about unemployment rates and lack of “tech talent.” What if the problem is that there are too few of jobs available at the top end level to supplement the current market of talent? What if you actually have the right talent but it isn’t being developed, retained, or valued enough?
The point is, increased education and security awareness need to be utilized to appropriately develop the next group of tech talent. I’ve heard of many organizations partnering with grade and high schools to create these skill sets at an early onset for those interested. The same goes for universities. Be a mentor. It’s a start. There are a lot of great CISOs that I’ve been fortunate enough to have met, spoken to, worked with, and befriended over the past several years that have gotten into security because of someone great ahead of them. Perhaps, following a great leader is what it takes.