The relentless bombardment of cyber-attacks, and the fear of a breach and all that entails, have led to some rather dramatic changes in the Chief Information Security Officer position recently. It has long been considered the corporate hot seat, where job security is a misnomer and the average tenure is less than two years. That may still be true for many, but changes are happening that are finally allowing the CISO to emerge from the shadows of the IT department.
There is a move away from checkbox security towards a more business-minded, risk-based approach. This is highlighted by Gartner's move away from GRC to a new category called Integrated Risk Management. This is an important step in formalizing and elevating security to a place of strategic importance.
Another thing changing for the better is structural, who the CISO reports to. It used to be that the CISO reported into the CIO, or perhaps Legal. According to the PricewaterhouseCoopers (PwC) “2018 Global State of Information Security Survey”, 67 percent of top InfoSec executives reported to the CEO or directly to the Board; a mere 24 percent reported to the CIO. This is positive change from a 2015 a study by Georgia Tech Information Security Center that reported 40 percent of CISOs reported into technical leadership.
This executive visibility is even moving beyond the CEO to the Board. In Fact, New York state recently became the first state in the nation to mandate that CISO’s present annually to the Board of Directors. This is significant because it shifts the burden of ultimate responsibility where it should be, to the Board. They can no longer claim ignorance to security issues, point fingers towards the CISO. At least not as easily as they have in the past. The question is whether the CISO has the most pertinent information that matters and can be understood by the board.
Greater executive and Board level visibility has long been the dream of the CISO. The belief was that if they only had that connection, they could explain what they were doing, translate the technical to business terms, show what the threats were and to what level they could protect the organization. The reality is that to date CISO has been unable to measure, value and report on progress in terms that are immediately meaningful to the rest of the C-Suite.
Historically, CISO’s may have shown technical metrics of vulnerabilities patched, malware blocked, and compliance reached when presenting their programs to the C-Suite and Board. This has helped to reinforce the idea that security is a technical rather than a strategic role. With their status being elevated more formally, ad hoc presentations using the same old tools is no longer acceptable.
After all, the head of sales has, well, Salesforce, Marketing has Marketo, Finance has Workday, and on and on it goes. What does the CISO have as their single source of truth? Excel and PPT? This is a gaping hole for most organizations and leaves the CISO on the outside looking in when it comes to strategic investment decisions. Security is competing with the rest of the business (e.g. marketing, sales, R&D) for limited investment. These other business functions can much more easily demonstrate valuable returns than security can using conventional approaches. This issue will become even more pronounced when the next recession hits and the C-Suite budget battles make Game of Thrones seem civil.
If the CISO cannot justify spend, or demonstrate outcomes mapped against specific levels of threats and risk tolerance, then they will find themselves struggling to justify and maintain the budget and operational progress they’ve made so far.
To date, the CISO has been at a disadvantage to all of their executive peers and that has had cascading negative consequences on the organization, starting with the security posture itself and including the security team itself. If the security team sees and feels the disconnect, they will believe they are set up for failure and will begin to look elsewhere for employment. This is especially true of top talent who are in such high demand.
The communications breakdown has been allowed to continue because the CISO was on the outside looking in. They weren’t part of the executive team. They weren’t brought before the Board. They weren’t, frankly, viewed as business executives, but technical team leaders and subscribers of budget. All of this is changing for the better.
Now that the CISO is inside the circle of trust, how do they stay there? It certainly won’t be by teaching the Board the latest NIST recommendations. It will be through their ability to translate security into business terms, helping business leadership make specific investments by unifying the security program into a holistic and calibrated business plan that helps to transcend red-tape and politics.
What’s clear today is that future success of the CISO has as much to do with meaningful measurement, visualization, and communication, as it does with preventing and controlling threats.
This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security Magazine. Subscribe here.