In this President's Letter, Frederica addresses the evolution of the Chief Information Security Officer and his/her influence across the entire organization.
President, JB Homer Associates
The Ever-Changing Role and Evolution of the CISO Today
After interviewing many strong candidates for global and enterprise-wide CISO roles, I have discovered that this Business Expert has now become a high commodity for all enterprises. The CISO is viewed as a Trusted Advisor not only to the CIO, but is also becoming increasingly more influential to the Board as well as the CEO, CFO, and CTO.
The CISO in demand today has taken on a hybrid role which is global in nature. As a Business Technology Leader in Cyber-Security, this C-Suite executive presents to the Board and knows how to mitigate risk. The CISO is seen as a critical Risk Manager who knows when to intervene and is a subject expert who can communicate measures required to execute penetration tests, is proficient in SOX Compliance, and is readiness-prepared for a Cyber-attack and Disaster Recovery.
The core competencies have evolved for the CISO today. There is more emphasis on communicating across all Business Units to deliver the right message and to intervene to secure the proper investment. Mergers & Acquisitions as well as new product launches are in the forefront of the CISO's mind. Security, legal, and financial issues are all on the table for discussion with the Board. "How do CISO's involve key internal/external stakeholders in security matters?"
Companies today are moving toward SaaS Cloud-based solutions. Yet, clients are not that keen on sharing their proprietary data. They prefer to hold it close to the vest, only to agree to share surveys, considered not to be of a competitive nature.
The CISO needs to have more gravitas now than ever before to influence the Board to effectuate change on par with the CFO, CIO, and other key executives as it pertains to major breaches and Cyber-Security attacks. Needless to say, this will protect the integrity of the company, its employees, and their bottom-line. This role incorporates one as Educator across the enterprise.
The CISO is no longer the executive who lectures on the need for new technologies; moreover this person is the one who communicates the needs of an ever-changing business and will serve as the enabler through risk management. At one time, risk management was relegated to legal and financial; however, the security leader today is the third leg of that foundation and often serves on the Risk Management Advisory Team. Cyber-Security is an enterprise-wide risk management issue, not just an IT issue. CISO's need to have access to their C-level counterparts to ensure alignment and to influence and affect employee behavior. It behooves the organization to create a cross-functional team of key stakeholders to develop an information security strategy.
As organizations become more involved with the Internet of Things (IoT) and employees have access to vast amounts of data, it will be interesting to see how much more security and enterprise-wide systems will be put in place to protect the company's assets.
The questions we might ask ourselves are, "What are the safeguards in place for shared information systems, e-mails, smartphones, and iPads with employees and 3rd party providers in large organizations?" "Are encryptions in place to protect intellectual property and proprietary data?" "How does your organization's Information Security Program compare to that of its competitors?"