Back in the old days, CISOs played a somewhat secondary role in business growth and strategy. The CISO role was largely technical and reactive, with a focus on technical architecture and response to security threats and data breaches after they happened. At that point, CISOs were considered technical experts for a part of IT that was about security, and not business influencers.
Fast forward to January 2022, those days are long gone. Security as a business function is a business enabler today. CISOs are now taking on a serious strategic role — blending technical expertise with business acumen, plus the ability to communicate complex issues to non-technical board members. Although they are no longer required to possess in-depth expertise in one specific security issue, they are now expected to have a reasonable understanding of all possible security risks, develop strategic security protocols that could enhance the business process.
With that, CISOs have stepped out of the server room and are stepping into the boardroom, the risk steering committee, the security team meeting, the sprint planning meeting, the audit meeting, and the list goes on…
The CISO role has become undoubtedly one of the most multifaceted positions in a company. Just to add some imagery to that, CISOs are now expected to be super flexible yogis — stretching their attention up to the boardroom, down to their security and across to the multiple teams they interact with daily — development, IT, operation, legal HR, and more.
While this has, without a doubt, made the CISO role more central and rewarding, it has also made it much much more challenging. Let’s break down these challenges across the dimensions:
In a world where the day’s headlines are increasingly dominated by news of the most recent data breach (ahem Log4j -we had to mention it because what’s a cyber blog today without it?) it’s no surprise and it isn’t new that cybersecurity is front and center for the executive suite as well as the corporate board of directors.
CISOs are expected to keep these key stakeholders informed in a way that is delivered in the language of business and in line with strategic business objectives. The goal is to illuminate risk metrics, risk appetite and security investment ROIs, all without getting too technical, yet with quantifiable evidence.
To do that effectively, CISOs are often faced with the challenge of collecting fragmented pieces of information spread around different tools and spreadsheets and then putting together hand-calculated performance metrics. This means that before every board meeting hours are spent on manually putting together a holistic cybersecurity picture together.
Most businesses are currently going through some form of digital transformation, either to improve their offering or streamline their operations. While on one side of the sword this spurs growth and helps maintain a competitive advantage, on the other side of it, it introduces new risks and increases the company’s attack surface.
Security teams are now running multiple programs at once. This includes vulnerability management, misconfiguration fixes, application security, pen-testing, bug bounty, awareness and training, SaaS compliance, API security and the list goes on. With all of this happening across different tools and possibility different teams, it can be a real challenge for CISOs to oversee
With this all happening, CISOs are expected to oversee all the different programs at every point in time and are required to provide advise and insight when necessary. Sounds similar to other managerial roles, doesn’t it? Well unlike other managerial roles, CISOs don’t have their go-to workspace where they can see everything and manage by exception. While sales directors can understand the status of their teams by glimpsing at Salesforce, and R&D leads by glimpsing at JIRA, CISOs have to go from one security scanner to another and have constant status calls to understand how each program is doing.
Doing the splits across
Security holds a unique role in the organization, unlike any other functions. Security itself does not manage a single process or entity, but rather it is an enabler that sits on the critical path of many business processes and projects. The more obvious processes that security enables are those technological ones with the development, IT, operation and DevOps teams. But there are also those less obvious ones with HR, legal and even marketing.
This means that many of the people, procedures, and technical infrastructure required for security’s success is actually out of security’s direct control. As such, CISOs need to enable their security team to collaborate with other teams across the organization in a manner that does not disrupt or make security feel like a damper on operations or creativity.
To genuinely make security an integral part of existing processes, CISOs need to empower their teams to provide a self-service approach where the relevant peers can “consume” security in their own way. With security teams already being spread-thin and overworked, this isn’t a simple task as it requires in-depth business context, significant automations and a diverse set of tool integrations.