By Edwin Doyle, Global Security Strategist, published August 22nd 2019
Charles Darwin said, “It is not the strongest of the species that survives, nor the most intelligent. It is the one most adaptable to change.”
Is it time for the role of the Chief Information Security Officer (CISO) to change? Since the birth of cyber security, arguably about 30 years ago, the role of cyber security within corporations has evolved. Thirty years ago, we simply needed a great technologist to install anti-virus software and a firewall.
But here we are, where revenues and our websites are inextricably linked.
I would argue that over the past 30 years, CISOs grew up through the ranks as technologists. Universities didn’t offer undergraduate education in the role of a CISO back when they started their careers. How could universities be expected to? It was a brand new responsibility.
Compare the CISO career to the career path of a CFO… As an aspiring CFO, you’d graduate university with a variant of a commerce or accounting degree, then perhaps serve as an accountant and earn your way at a company until you were awarded the responsibility of CFO, years later. Or what about CEO? An MBA might prepare you. Unlike in the past, the contemporary role of the CISO is no longer purely technical.
It is now time for the role of the CISO to mature into the primary responsibility it was destined to become; a role revolving around a deep knowledge of technology, combined with sharp business acumen.
CISOs need to understand the entirety of what’s going on within a corporation, from how their team’s decisions will impact business, to how the decisions of other departments will impact revenue streams. The ability to articulate business risks to the organization and to the board is also imperative.
Until new graduates of university-level cyber security programs earn their stripes and their gowns, we will have to accommodate CISOs who might not be so well versed in business.
To solve this issue, I argue that the CISO should report to a person within the organization who understands risk, can articulate it in business terms and, since cyber is so critical to an organization, this person needs to have a seat on the board. Who might this be? The general council (GC).
The GC’s primary responsibility is to mitigate risk to the organization. If an old-school CISO technologist reports to a GC, the GC might have a better chance of understanding the elements of online risk, how those risks fit into the overall health of the organization and how to articulate this to the board.
Or perhaps “it’s time for the CISO to report to the CEO,” says Peter Alexander, Chief Marketing Officer of cyber security firm Check Point Software Technologies. Peter remembers 30 years ago, “…when the Chief Information Officer used to report to facilities management! This was the day when information technology largely consisted of looking after communications tools like phone systems and fax machines…”
At the very least, the CISO should no longer report to the CIO. The CIO and the CISO are often at odds regarding budget. Simply put, the CIO receives an annual bonus based on his or her ability to save the organization money. If the CIO can do more with less, he or she is rewarded. This works well in I.T., where life typically gets easier due to the ingenuity of amazing technologists making better tech tools for business and life. Not so in security, where we experience the opposite. Life gets harder (due to the ingenuity of the bad actors). The CISO needs to spend money. His or her primary concern is to buy the best technologies and to hire the best staff and/or security team to protect the organization against new and evolving threats. When a potential breach looms, the department of the CISO shouldn’t have to buckle under the weight of saving money, while defeating hackers. When it’s time for war, the objective is to win!
Whether a CISO should report to the GC or the CEO, the strongest of the CISO species that will survive, will be those most adaptable to change.