Newsflash: the CISO is no longer concerned with security

First things first: an apology. That headline is deliberately provocative. Of course security will always be integral to any executive role that has the word ‘security’ in the job title. Duh. Stupid clickbait.  But bear with me, because there is a case to be made for the idea that CISOs today are reframing their job descriptions in different terms to those of even just a few years ago. The CISO is no longer just concerned with security.

Ensuring security in a vastly complex threat environment is not as straightforward as it once was (if it ever really was that straightforward).  Security professionals now talk about the inevitably of the breach, and getting hacked has become a question of when, not if. And as such, the tone of the conversation has shifted from keeping the bad guys out, to managing their potential impact to the business.

Reflecting this change in emphasis, most of the conversations I’ve had with CISOs over the past 12-18 months have centred around the concept of managing risk, rather than enforcing security: what is the impact of a security breach on the organisation, and what needs to be done to mitigate that impact?


The tone of the conversation has shifted from keeping the bad guys out, to managing their potential impact to the business


Paul Crichard, Head of Cyber Research at Vodafone, believes that while the CISO role will always have a technical element to it, the position is now much more focused on talking about business risk.

“There is now pressure for CISOs to communicate in an effective manner with different levels of the business, making security and risk real for them,” he told me. “Whereas initially we were there to fill a void or plug the leaks, we’re now evolving what the CISO can do. It’s about how you engage the organisation as a whole in conversations around risk – everyone from the IT department to the HR department to the finance department.”

Andrew Jutson, Chief Information Security Officer at Travelex, agrees. “The CISO is still, essentially, a technologist. But they also need to be able to communicate with all levels of the business,” he says. “They need to be able to have those conversations with the IT and engineering teams and understand the issues in play, but then have the ability to take that message and communicate it to the board in a way that those executives can understand, too. A good CISO can make that transition.”

Such a role requires excellent communication skills, including the ability to present research and recommendations to different audiences that have varying levels of understanding. The IT team is concerned with technology metrics, how IT systems and processes are performing; the C-suite, on the other hand, wants to know how the business decisions they are making balance revenue growth against increasing risk. As Jutson points out, the CISO provides a bridge between these two points of view, and must be able to talk fluently in the language of each group.

Indeed, just as the CFO and general counsel consult on the financial and legal implications of business decisions, so must the CISO transition to a more advisory role when it comes to identifying and highlighting the security risks inherent in those decisions. What are the benefits versus the potential downsides? It’s no longer just about blocking, controlling and shutting things down.

“Dealing with the unknown unknowns is a real concern,” suggests Jutson. “Increasing awareness and visibility of the various different attack vectors is critical. And contextualising risk in a way that the business can understand is increasing in importance. Those are the key issues for today’s CISOs.”

 

Browse

Article by channel:

Read more articles tagged: Featured

Cyber Security