COMMENTARY: The
CISO's role looks drastically different today than it did 10 years ago. What was once thought of as a siloed function responsible for keeping an organization from getting hacked has turned into a position integral to the strategy-setting, success and security of an organization.
What does this mean for CISOs? Well, it’s time to make some C-Suite friends.
[
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
According to a recent Splunk
report, 82% of CISOs now directly report to the CEO – a drastic increase from 47% just two years ago. While this may increase pressures on the CISO, it’s a good trend. It’s actually the big break the industry has been hoping for the past decade. Finally boards and CEOs are recognizing the critical importance of cyber issues to modern business.
However, it’s also a double-edged sword. As the CISO role becomes increasingly business-critical and thus has more eyes on it, the threat landscape has some new kids on the block
(GenAI) that are making it a more dangerous place than ever. Not to mention there are regulations popping up all over the place, and few (if any) are harmonized.
So what does it take for a CISO today to successfully lead a cybersecurity team? They must have the ability to do the following:
Communicate complex business and technical topics
A decade ago, the first item on this list would likely have been preventing and responding to threats. There’s no arguing incident prevention and response is important, but technical skills have moved down the list of importance for CISOs. In fact, in a recent
survey of nearly 300 cybersecurity professionals, 85% cited communication as the most important skill for CISOs to have.
So how do they accomplish this? CISOs have to work up and down the superiority ladder. Communicating down the chain requires the ability to break down overarching business objectives in a way that security practitioners understand, and can use to help them perform their jobs better.
Successfully communicating up the chain means being relating complex technical concepts back to the core mission of the business. Why should the board, CEO or CFO approve an investment in deepfake detection software or the latest vulnerability management tool? Without effective communication skills and a strong business acumen, the chances of building a strong relationship with the C-Suite or a cyber team are slim to none.
Develop a strong business acumen
Every CISO must gain buy-in for security strategies, and CISOs need a strong business acumen to communicate how cyber risks, initiatives, investments and decisions impact the organization’s overall risk and business performance.
However, CISOs looking to shore up business knowledge and lingo don’t have to go back to square one and earn an MBA. They can lean on business associates like COOs to act as mentors and create a relationship of shared education, or sit in on non-security focused meetings to get a sense of the state of the business. There are many non-traditional ways to build skills and increase knowledge.
As cybersecurity leaders work to further position their departments as business-critical, it’s crucial to pursue these relationships.
Build a strong compliance and regulatory management team
Regulatory compliance has become more complicated as consumers’ demand for data security spikes and governments worldwide crack down on noncompliance. In the U.S., industry-specific regulations such as HIPAA or PCI were the name of the game in the early 2000s, and while important, they were relatively straightforward to manage.
Now, global data privacy laws like the EU-based General Data Protection Regulation (GDPR) down to state-based data privacy laws like the California Consumer Privacy Act (CCPA) have changed the game. CISOs are expected to stay up-to-date on legal frameworks relevant to the geographies they’re operating in, and the repercussions for failing to do so could be costly.
With a regulatory landscape in flux, CISOs have no choice but to stay in the loop on what’s changing and what actions they need to take to remain compliant.
CISOs are at the most exciting, yet scary time in the existence of the role. It’s easy for them to feel pressure when they’ve finally earned a seat at the table, but with the right skills, continuing education and leaning on other organizational leaders, CISOs can prove the value of the cybersecurity function to the success of any business.
Jon France, chief information security officer, ISC2SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
