Share this article on:
James Carder, senior executive at LogRhythm, discusses the changing expectations from CISOs across organisations.
When the role of the chief information security officer (CISO) was first created in the 1990s, few people fully understood exactly what that person did.
Leading a corporate security team and responsible for keeping critical systems protected, they tended to work behind closed doors, were often buried in an organisation behind IT and had a low profile within the organisation.
Fast forward to 2021, however, and the CISO role has gone through quite an evolution. No longer working in the shadows on mysterious projects, they’re front and centre and playing a critical role for both internal and external stakeholders. Many also sit on corporate and advisory boards, providing valuable insights and knowledge.
Increased business acumen
While a CISO is naturally expected to have a deep understanding of security technologies and tools, many are finding they also need a broad knowledge of the business environment in which their organisation is operating.
To enable them to design and deploy the most effective IT security possible, they need to understand the commercial priorities of senior management, the activity of competitors, and the shifting demands of customers.
To help expand their knowledge, some CISOs opt to study for a Master of Business Administration (MBA). This can help to add additional understanding of why senior management makes certain decisions and how the security aspect fits into the wider picture. It also gives CISOs visibility into how businesses operate and equip them to speak the language of the executive team and board.
For example, if a CISO understands the language of the business, they can better tailor their actions to align to organisational goals better comprehending where a security budget can come from and what areas it can influence. They can also understand the process and operational efficiencies of security and how that impacts the business. Ultimately, If you cannot translate security to the business, you will fail as a CISO and that’s what an MBA helps with.
Taking a financial perspective
CISOs are also increasingly finding themselves involved in the budgeting side of the business. Rather than being given a set allocation of funds to meet expenditure for the year, they are expected to formulate their own budget and then ‘sell’ it to senior management.
To do this effectively, they need to have oversight of the organisation’s broader budgetary priorities. In this way, they can determine what proportion of overall spending is to be allocated to security, ensuring it is a realistic mix.
When compiling a budget, it’s also important that spending reflects the actual value of the assets that are being protected. This is important as there is little point spending $5 to protect something only worth $1.
Planning and budgeting also needs to take into account your organisation’s core business activities. Security needs to be seen in the context of all business activity to ensure it is as relevant and effective as possible.
Another priority is to ensure that spending is targeted and achieving an expected return on investment for the organisation. If business activity changes – such as more people working from home – the security tools and services in place must also change to ensure value for money continues to be achieved.
Many CISOs find it worthwhile to maintain strong working relationships with key technology providers. This allows them to have visibility of product roadmaps so that future spending can be made at the most beneficial times. These relationships also ensure CISOs maintain a view of the wider technology landscape and allow them to keep their IT architectures current.
Dealing with the board
Another component of the CISOs evolving role is a deeper relationship with the management board. Rather than simply presenting a report at formal meetings, it’s likely the CISO will have a closer working relationship at all times.
To achieve this, many CISOs find it effective to treat each board member as an individual. Each will have their own perspective and experience, and this should be used to guide conversations.
During these interactions, it’s important to provide a large-scale picture of what is going on in the wider market and what implications this has for your organisation. Take time to discuss recent breaches and the steps being taken to ensure your organisation will not fall victim to a similar event.
The CISO’s relationship with their board can also be enhanced through more regular presentations. They can also consider running board-level committees with a focus on cyber security and risk.
Fostering wider relationships
As well as the board, it’s increasingly important for CISOs to establish connections with people at all levels across the organisation. This will enable them to get a clear understanding of what is happening and where potential security challenges may exist.
Encourage feedback from staff at all levels and ensure they understand their role in achieving effective security. If they see the CISO as someone who is approachable, it will make them more open to any behavioural or operational changes that might be required.
Relationships should also be maintained with external parties such as other CISOs and groups that share information about the evolving threat landscape. Networking can be a very valuable activity.
The role of the CISO has changed significantly in recent years, and this process is likely to continue in the future. Being aware of challenges and with a solid network in place across their organisations, CISOs will be much better placed to undertake their duties.
James Carder is the chief information security officer at LogRhythm.