How to understand the evolution of the CISO role
Edwin Doyle, Global Cyber Security Strategist, Check Point Software
If Ford Mustangs had evolved as expediently as computers over the past 35 years, they’d now get 3,666,652 miles per gallon. This comparison highlights the extraordinary pace of compute power efficiency in recent decades.
As computing innovation has dynamically shifted, technology-adjacent roles have also taken on new forms and responsibilities. The evolution of the CISO role is a particularly strong example of this, and one which we will discuss today.
Evolution of the CISO role
Right now, the CISO evaluates aggregate organizational risk. The CISO identifies, assesses and responds to risk by remediating vulnerabilities, selecting and implementing security controls, continuously monitoring tools and technologies, gaining stakeholder mindshare and building trust among board members.
But the role hasn’t always looked like this. In the past, the role received little attention, due to the nature of its complicated algorithms and due to the fact that when all is well, the company has little cause to pay it attention. Closely examining the history of the CISO role can tell us about the future and what to expect years from now.
A brief history of the CISO role
In the early days of computing technology, computer viruses largely consisted of harmless and silly pranks. At that point, there was no internet. Once the internet came into existence, everything changed…
The term Chief Information Security Officer (CISO) came into use around 1994, when Citigroup (then Citi Corp.) hired Steve Katz to set up a new kind of security office. Responsibilities largely centered around security architecture and making technology more secure.
By the year 2000, CISO responsibilities included management of e-business alliances and cross-institutional data exchanges. After the economic downturn of 2001, the role began to shift once again. After a few more responsibility reshuffles and higher investment justification due to the potential disruption from threat actors, the role started to feel steadier.
In recent years, the role has progressed from a technically-oriented, stereotypically geeky, lower-level position, to one that requires a new command of the space that it occupies… at the executive-level.
Why this matters: Key insights
During each evolutionary phase of the CISO role, the position has proven a mirror of the broader environment in which it functions. Thus, by understanding the evolving CISO role, we’re better positioned to understand businesses themselves – and the risks that they’re facing.
At present, risks to organizations are more all-encompassing and interconnected than ever before.
Here’s what this means
- CISOs must establish themselves as capable leaders at the executive-level
- CISOs now commonly interact with the Board of Directors
- Some CISOs regularly interact with the legal team to assist with risk management
- CISOs must develop partnerships across government agencies, vendors and customers
Did you notice the number of different parties that a CISO must now communicate with?
The corresponding implication is that organizations now have engaged conversations around cyber risk. They’re also accounting for all elements of risk across wide cyber ecosystems. This is a strongly positive trend and one that will continue to expand in fresh directions.
Further thoughts
As the threat landscape evolves, so too will the CISO role. Precisely how the role evolves will tell us about overall business trajectories, which will, in turn, continue to establish the traditions, responsibilities and accountability requirements enmeshed within the CISO role.
The CISO role does not evolve in isolation. It’s more of a collage shaped by many artists. If your organization remains uncertain as to the precise configuration of the CISO role, turn to what’s happening at the heart of the business – that will inform the “next normal” for CISOs.
This is the first in a four part series on the evolution of the CISO role and I encourage feedback through my LinkedIn platform, so find me here.
For more CISO insights, see CyberTalk.org’s past coverage. Lastly, to receive cutting-edge cyber security news, exclusive interviews, expert analyses and security resources, please sign up for the CyberTalk.org newsletter.