- Why Abacus?
By Paul Ponzeka, CTO at Abacus Group
In the past, the chief information security officer (CISO) of a business could largely rely on technical expertise to fulfil their role. However, as cybersecurity rises to the forefront of C-suite concerns, CISOs are now expected to be much more than security risk managers. In addition to their traditional responsibilities, cybersecurity leaders are increasingly being looked upon to be business enablers, taking their own seat at the boardroom table to help shape the strategic direction of an organisation.
But while their role has undoubtedly been elevated, are CISOs truly empowered? Not only is the CISO being asked to do more than ever before to protect their organisation, but cyber threats are continually evolving in volume, scope, and sophistication, making it easier for the CISO to become a scapegoat when things do go wrong. With the trial and jury conviction of Uber’s former CISO recently making headlines, many security leaders may be questioning if they will face the same fate in the event of a similar breach.
Furthermore, with cybersecurity awareness rising at every level of an organisation, more and more businesses are choosing to outsource their security operations, making the role of the CISO less fixed and easily definable than before. Some may even question if there is a place for the CISO in this more distributed ecosystem.
To keep pace in a fast-shifting landscape, the modern CISO must step more confidently into the business spotlight. This involves mastering a new suite of skills, from strategic thinking to ‘executive speak’, to redefine and embrace their new role as valued leader within the organisation.
With the rapid rise of the hybrid workforce expanding network perimeters and opening a whole new level of security concerns, cybersecurity has been widely accepted as an organisational risk, not just an IT problem. The board is now more aware than ever that just one serious security incident could derail the profitability and growth of the business, so security acumen is increasingly being factored into executive job descriptions. In fact, Gartner predicts that at least 50% of C-level executives will have performance requirements related to cybersecurity risk built into their employment contracts by 2026.
What does this mean for the CISO? With cybersecurity now playing a key role in strategic business outcomes, all cyber policies must be business policies – not technology ones. This change takes the traditional CISO firmly out of their comfort zone. They can no longer rely on raw technical skills alone to survive and thrive in the role. The CISO must be fluent in the language of business.
As a business professional, the CISO needs to understand the needs of the organisation, enforce the right policies, and get buy-in from management. This is crucial. Without the ability to make a business case for support of cybersecurity initiatives, the CISO will fail to make an impact.
Tasked with compliance, cybersecurity, and risk management, while also being expected to manage both business and technology demands and master executive communication, the all-new CISO has a lot of plates to spin. But there’s an extra layer of complexity to all of this. Cybersecurity awareness is constantly growing across the board, meaning that even the CEO and CFO (job roles that have not been natural bedfellows with cybersecurity) have an improved baseline understanding of it.
Better cyber awareness can only be good for businesses, but it puts the CISO under more pressure as expectations at board-level continue to evolve. Constantly putting out fires whilst simultaneously seeing accountability for cyber risks expand far beyond IT, CISOs risk losing control in a distributed ecosystem.
All the while, the regulatory screws continue to tighten on organisations. The Securities and Exchange Commission (SEC) has recently proposed new rules to enhance and standardise disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by regulated firms. This requires the CISO to give regular, timely, and accurate reports on cyber breaches – with their growing accountability often making them the public ‘face’ of any security failings.
Furthermore, growing numbers of businesses are embracing the notion of the ‘virtual CISO’ or CISO-as-a-service. With the ongoing cybersecurity talent shortage showing no sign of slowing and burnout within cyber teams increasing, bringing in service companies to meet evolving security needs is an attractive option for many organisations. Back in 2019, as many as 99% of organisations had already outsourced some parts of their cybersecurity operations – and the proportion of businesses entirely outsourcing their security needs is highly likely to have grown further post-pandemic.
Where does this leave the dedicated CISO? While their role may be broadening and evolving, many are in the midst of an identity crisis as their responsibilities become less concrete and more tech adjacent.
To keep pace, businesses need to take a fresh look at the role of the in-house CISO. This doesn’t mean changing the goalposts – the primary role of the CISO will always be to protect the organisation. But they also have an opportunity to step up as strategic thinkers, decision-makers, influencers, and so much more.
In some organisations, this shift is reflected in how the CISO has evolved into the BISO – business information security officer. Far from solely being the person in charge of patching or preventing cyber breaches, the CISO/BISO has become a leader and executive, working across the organisation to structure, delegate, and drive top-down security transformation. Therefore, the modern CISO should zoom out and view cybersecurity within the wider workings of the company, recognising and taking charge of all the interlinked factors that boost business resiliency.
Today’s CISO must adapt to the business-critical nature of their role. This involves proactively moving beyond the purely technical and embracing broader skills and knowledge, such as business risk management and relationship-building, particularly with vendors if the organisation chooses to outsource security operations. As the CISO role matures, it’s essential that this wider portfolio of expertise is reflected at the C-suite table.
Education is also pivotal. Executives need to be continuously upskilled and incentivised to take an outcome-driven approach to cybersecurity – and the CISO is ideally placed to take the reins. From a new position at the forefront of education and awareness, the CISO can ensure their organisation transitions securely while embracing digital transformation.
As cybersecurity increasingly underpins everything a business does, the CISO needs to be at the centre of business decision-making with the mindset of a leader, not just a technologist. While the role of the CISO is set to reach new complexities, opportunities are ripe for CISOs keen to adapt and embrace their new role as enablers of business innovation.