A survey from Trellix reveals key insights into the current state of the CISO role. The survey reveals expectations, challenges and responsibilities associated with the role. Furthermore, the report dives into recent changes the CISO role has seen. 91% of respondents believe the expanded expectations will cause a higher turnover rate in the CISO role, and 84% assert that the position should be divided into two roles: a technical role (CISO) and a business-oriented role (BISO). Notably, if no positive change is seen in the industry, nearly half (49%) if CISOs say they do not see themselves in a CISO role in the future.
George Jones, Chief Information Security Officer at Critical Start, offers the following insights into how a division of responsibilities between multiple roles could be beneficial.
“The division between a technically focused CISO and a business-focused BISO could create a more balanced leadership structure, allowing for specialized attention on critical areas. The technical role would focus on threat mitigation, incident response, and proactive defense mechanisms, while the business role would ensure cybersecurity aligns with business objectives, compliance, and risk management. This separation could streamline decision-making, as both roles could operate independently without becoming overextended, ultimately improving overall security posture and resilience,” Jones states. “The challenge, however, lies in ensuring that both roles remain in lockstep, with clear and consistent communication, so their priorities support the same strategic goals and align with the organization’s broader business objectives.
CISOs also report difficulties in board and C-level comprehension. 66% report the board does not fully understand the cybersecurity issues presented to them, and 59% of CISOs say their perspectives are not aligned with the CIO or CEO.
Jones elaborates on these challenges, saying, “There are a number of challenges in communicating cybersecurity risks to board members who may lack technical expertise. The key challenge is communicating and translating cybersecurity risks into business language that aligns with, and resonates with, the board’s priorities. These priorities typically include financial impact, operational disruption, and reputational damage. CISOs need to present cybersecurity metrics in terms of risk management and potential business outcomes. Using analogies and visual aids can help simplify these complex issues. Storytelling is also a powerful tool that allows CISOs to connect security events to real-world examples, thus making them more relatable. Building strong relationships with individual board members outside of formal meetings can further facilitate understanding and alignment on risk tolerance.
“As more boards recognize the importance of cybersecurity knowledge among their members, investing in cybersecurity education and ongoing training becomes essential to ensure they stay ahead of evolving threats and understand their potential impact on business operations. Providing board members with access to cybersecurity briefings, workshops, and industry events can help bridge the knowledge gap. Regular tabletop exercises involving the board, or debriefing them afterward, can also be effective, as they offer hands-on experience with the decision-making process required during a crisis. Additionally, establishing an advisory committee focused on technology and security can significantly elevate the board’s awareness and preparedness.”
How can CISOs manage the challenges of the role?
Although the challenges of the role are increasing, it is still possible to save CISOs.
To ensure future success in the CISO role, CISOs should be able to rely on team members for support. Jason Fruge, Resident CISO at XM Cyber, says, “Now more than ever, CISOs need to empower (and hold accountable) their entire chain of command so they can elevate the level at which they operate. Evaluating the CISO organizational model may be necessary to ensure the proper leadership structure and that technical leaders support the CISO in developing technical capabilities to reduce risks.
“Every CISO should strongly partner with internal and external legal counsel and participate in CISO professional information-sharing networks such as the various ISACs, which keep members apprised of relevant regulatory matters for their sector.
“Board members understand business risk quite well, and governance is the primary aspect of the board members’ role. The CISO needs to put cybersecurity risk into a business context and update the board consistently with how other risks are discussed. A good practice to make this successful is to work offline with the corporate secretary or someone similarly close to the board to review the best approach for that board. Every board is unique in its capabilities and expectations.”
Mr. Agnidipta Sarkar, Vice President CISO Advisory at ColorTokens, offers the following advice:
“While it may be difficult for brilliant technical people to understand and expand their understanding of the business, there is a method to that madness. CISOs need to know and clearly understand what really makes their business succeed and win in the market. Once that is understood, CISOs need to determine what digital systems need to be available for the business to succeed. From there the CISOs will find it easier to navigate because it begins to get technical. So if you connect the dots and find out, for example, what digital systems make patient care succeed at a hospital, it can be the focus of a CISOs initiatives to prevent the spread of ransomware, by putting in foundational capabilities.
“There are a few strategies that I would recommend for staying ahead of cybersecurity regulations without overwhelming resources. The most important is to divide and conquer. Work closely with the General Counsel and his team to find regulatory changes that will affect the business. Also be part of CISO communities that help other CISOs to learn about new regulations. At ColorTokens, I am continuously getting updated, not only about the laws that change, but also the laws that have been proposed to be changed.
“CISOs must educate the board members. In fact, that should be an initiative on the CISOs table, and someone should be tasked to do it. Today, there are many Saas solutions that do this too. Educating the Board is a non-negotiable if the CISOs expect the Board to understand the difference between a NAC and IAM. The other thing to do is to change the tech language. I would have a pre-read that explained all the jargon on my slide, and that would be available to all participants before the board meeting.”