The chief information security officer (CISO) role continues to evolve, just as the business context in which they operate is driven by continuous advancements in technology, growing emphasis on the importance of data, and evolving ecosystems of suppliers and partners. Also ever-changing is the threat, security and regulatory landscape which dominates their lives.
All of this puts an added layer of pressure on CISOs and their teams today and as we look ahead. Especially as trust — trust in stakeholders, companies, third parties and more — rises to the top of everyone’s minds.
To navigate the pressures ahead, while also ensuring trust is at the foundation of everything a CISO and their team does, here are five actionable tips to lead and develop a best-in-class cybersecurity function.
Act like you belong in the C-suite
CISO priorities are shifting from technical concerns over perimeter security and identity management to major strategic challenges, including brand trust and cyber resilience. This shift in priorities reflects greater CEO and C-suite attention and, increasingly, a direct reporting line. According to a recent KPMG survey, cyber risk was ranked as the number one organizational threat by global CEOs, with data security taking priority over all other technology investments. So CISOs not only need to start acting like they belong in the C-suite, they deserve a seat at the table, but that seat brings its own challenges.
To gain the trust of company leaders and board members, communication matters. Effectively communicating risk, educating around the impact of cybersecurity, bringing unique perspectives, managing expectations, and building mutual respect — these are all critical components of a CISO’s role. For example, CISOs must lead a dialogue with the board and executives around how cybersecurity plays into all decisions to improve business outcomes and how to manage the risks accordingly.
Shape your organization’s future cybersecurity workforce
Cybersecurity faces a critical skills gap across a wide range of areas, and not to mention the war for talent is ultimately increasing attrition. Looking ahead, new roles are evolving that may not even exist today (e.g., resilience strategist, ecosystem security leader, cyber risk modeler, artificial intelligence (AI) ethicist and more), while automation and changing security architectures may make others disappear entirely. To shape the future cybersecurity workforce at their organizations, CISOs will need to assess existing and new capabilities needed to stay on top of emerging threats.
We are likely to see more outsourcing for talent and capabilities as well, whether it’s outsourcing to specialists and managed service providers or leveraging automation to deal with transactional tasks. Getting the partnership between human and machine right will take some time, and CISOs need to be prepared to be innovative in trialing new tools and technologies, as well as linking up with the innovation and experimentation initiatives the CTO and broader business transformation teams are running.
CISOs also need to be open to co-sourcing models for access to scarce skills and additional capacity, establish trusted partnerships with their providers, and be clear on the core skill sets which need to be retained in-house as security delivery responsibilities shift between organization and service providers.
Embed cybersecurity into your organization’s DNA
Although cybersecurity responsibility comes with the CISOs role, it’s also everyone’s responsibility in some form. Cybersecurity should be a key part of building trust and integral to corporate strategy, rather than an afterthought or knee-jerk reaction to an event. To do this, CISOs must be agents of change — starting at the top with the board. Once the board and executives are supportive of implicit security, CISOs have a stronger foundation to spread the message more widely to employees, development teams, and third parties.
Embedding cybersecurity needs a blend of leadership and evangelism, the establishment of a culture of personal responsibility, creation of the right incentives on teams through targets and metrics, streamlined processes, unobtrusive security controls, and an agile approach which can integrate with the organization’s innovation approach.
As we become more virtual and digital, a CISO’s role moves away from being enterprise-centric to recognizing that this is a collective effort. They’re not the only one facing this challenge, so they need to look externally to help the community become stronger, as well as reporting any violations or attempted threats to regulatory bodies.
Embracing automation to enhance your role and team
As data volumes continue to increase, automation is becoming a must-have for any cybersecurity team. For example, automation can help reduce workloads, increase efficiency, improve consistency, reduce errors, accelerate responses, and help decision-making. Additionally, regulatory demands can be a major challenge for global brands. With automation, cybersecurity teams can easily manage the privacy and security landscape due to fast, efficient data gathering and continuous monitoring of controls.
Although automation has major benefits, it won’t replace the need for humans who will be tasked with taking the more uncertain decisions and providing strategic advice and support.
Prepare for further disruption
CISOs must adapt technically and strategically to a fast-changing world. A key disruptor will be artificial intelligence and the application of machine learning. AI brings benefits in terms of sophisticated security analytics, enhanced decision support, and effective orchestration and automation of processes. It also brings a new set of challenges in terms of how we secure AI systems and ensure privacy issues are respected in the use of such systems. All technology innovation brings both opportunity and risk, and we can expect no let-up in the pace of innovation.
Organizational boundaries are disappearing as we move to the cloud, embrace managed services, and open up APIs to third parties. CISOs are acutely aware of the complexity and threats resulting from our increasingly interconnected ecosystem of partners, and they are focusing on new approaches to verify the reliability and continuing security of third parties to ensure greater trust.
Be ready to respond
Even the most robust protective defenses can and will fail. Suddenly, the CISO is in the spotlight as they fight to deal with a major cybersecurity incident and restore the security and integrity of systems. The trust they establish with the C-suite today is the foundation for an effective response to tomorrow’s cyber incident.
A CISO with a resilience mindset is well-placed to help the organization prepare for the worst and be confident in their ability to recover in a timely way with access to the specialist support they need. A key part of preparation is taking time to exercise and wargame potential scenarios, helping bring these complex and potentially highly disruptive cyberattacks to life for senior executives.
According to IDC, by 2023, 55% of organizations will allocate half of their security budgets to cross-technology ecosystems and platforms designed for rapid consumption and unified security capabilities to drive agile innovation. By the same year, 80% of organizations faced with complex global regulations will increase security compliance automation investment by 25% to ensure all policies are met consistently.
This tells us that more complexity is inevitable, and CISOs must have a seat at the table to help leaders navigate the future with confidence. And not only have a seat at the table, but have a best-in-class cyber function behind them.