Sivasubramanian: CISO is not just a security manager

The role of a Chief Information Security Officer (CISO) is changing from that of an IT security manager to that of a C-suite executive who secures the business interests of the enterprise.

Sivasubramanian Jan 09th 2018 A-A+

The origins of the present day CISO role can be traced back to that of the IT Security Manager; a role that was deeply entrenched in technology reporting structures and reported to the manager of IT infrastructure.  As security threats exponentially increased and their impact on the companies became significant, this nondescript back office role grew in stature to find a chair at the CIO table.  Despite the ‘C’ in the title, the CISO role is mostly viewed as an adjunct C-suite role. But with the boards increasingly recognizing security threats as the top risks for companies, this role is fast becoming a full-fledged C-suite role.

The Metamorphosis        

Despite their elevated role, CISOs tend to be less business savvy and continue to be very technical.  They tend to view all the problems including business challenges, from a technical prism and attempt to solve all the problems with technology.  They divide their time between fighting operational security issues and maintaining compliance.  They ward off security attacks of varying flavors ranging from APT to ransomware and ensure compliance with a plethora of norms or standards like PCI DSS, Privacy Laws, reporting to CERTs and sectoral CERTs. 

With information security risks appearing in the top five business risks for a board, the CISO is forced to take holistic views of the problems of the business and customer points of view.  The CISO’s solutions are no longer black and white but are a deft balance between customer experience and risk.  The CISO is no longer viewing the data leak and fraud issues as mere technical issues but is starting to consider them as broader people and process issues with strong cultural underpinnings.  The CISO is taking a leadership view of the business problems that are masquerading as technical issues.

This mindset shift, coupled with a new armory of soft skills such as business-to-business communication, relationships, influence and leadership of people, the CISO role is fast transforming into a full-fledged C-suite role.

New Challenges

Businesses are increasingly adopting digitization, artificial intelligence, automation, all of which lead to products and services increasingly becoming an amalgam of technology-enabled functions.  Securing these new products and services will become a key function and businesses will soon be promoting security as a unique selling proposition.  The CISO role will play an important part in securing the design and delivery of these new products and services from build to operations, becoming critical if not an integral part of the core business.

The disturbing trend now is that data leaks happen outside of the cyber realm through physical boundaries.  Assange and Snowden showed how simple social engineering tricks could cleverly bypass cyber defenses in stealing highly protected classified data.  In corporations, where the rigor for protecting data in the non-electronic form is lax, data leaks through physical channels are high.  Equally the trends of ‘physical staged cyber-attacks’ and ‘cyber-staged physical attacks’ are also on the rise.  These trends will lead to a merger of cyber and physical security functions leading to the emergence of Chief Security Officer (CSO) roles where either the CISO will become the CSO or report into one.

The CISO will also be increasingly drawn to protecting and safeguarding the privacy of information.  With the advent of new privacy laws and GDPR regulations, the activity of managing privacy will become one of the core tasks of the CISO.

In a not too distant future, as IoT takes off, context-sensitive security will become a necessity. Determining which risks to protect and which to accept will become a key factor.  The CISOs would be the ones to advise and plan for it.

All these changes might earn the CISO a seat at the CEO’s table too.

From delivery officer to trusted advisor

As the cybersecurity threats continue to evolve and become increasingly prevalent in a world that is ever more automated and digitally focused, the CISO role will continue to grow in significance and complexity.  The CISO will move from a functional delivery officer to a trusted advisor to the company.  The CISO will be briefing the board on security risks, winning support for his initiatives from his fellow C-suites executives in business speak, energizing the wider company staff in leadership speak to align them to his / her initiatives, and communicate with his technical troops in tech-speak to secure the company.  With that, you will see the arrival of a new leadership role in enterprises.

The author is CISO at Optus.

Disclaimer: This article is published as part of the IDG Contributor Network. The views expressed in this article are solely those of the contributing authors and not of IDG Media and its editor(s).