There were 184 million ransomware attacks worldwide in 2017, according to Statista (paywall), and new threats seem to emerge every day. With the cybersecurity space facing growing risks as hackers become more sophisticated, the typical C-suite clearly requires a dedicated security executive — hence the chief information security officer (CISO) role.
As a relatively new C-suite role, the CISO has traveled a somewhat bumpy road toward widespread adoption. Not all organizations have embraced the need for a CISO yet; some have elected to keep all security initiatives under the chief information officer (CIO) role. Similarly, organizations with CISOs may box the executives out of product development, often because a focus on security can reduce speed to market.
However, as industry awareness of security concerns rises, I've noticed that businesses are realizing the necessity of hiring a CISO — and incorporating their expertise into organizational decision making.
The CISO Role So Far
Many enterprise leaders still associate the chief cybersecurity role with the CIO. But comparatively, the CIO role is broader than the CISO role — the CIOs I know typically shoulder responsibility for the entire organization’s infrastructure and information management.
The CISO, on the other hand, typically digs into the nitty-gritty of security. While CIOs typically determines how to store data, CISOs may decide how to secure it. They usually develop and manage key aspects of the organization’s data security strategy, including encryption standards, access protocols, compliance requirements, incident response standards, and more.
A focus on profitability presents another point of tension in the comparison between the CIO and CISO roles. In my experience, when DevOps teams build new products, they aren’t always incentivized to obsess over the security of a product they’re rushing to market.
From the CISO’s point of view, however, the behavior of those product teams would be reckless — it prioritizes short-term profit over long-term dangers. If there’s no security leader in the room, there may be no voice of reason questioning how a product would stand up against bad actors once it’s in the hands of customers.
In the past, chief security responsibilities typically nested under the CIO. However, I believe the responsibilities and workload of network security and broader network operations now surpass the capabilities of a single corporate executive. It’s time for corporations to get serious about defining and embracing the CISO position.
The Evolving CISO Role
CISOs aren’t always the most popular voices in the room because their concerns can sometimes limit the enterprise’s ability to develop and launch products quickly. But as organizations increasingly grasp the need for enhanced security strategies in new offerings, I predict that employers will start to see their CISOs differently — to the benefit of everyone, from executive leaders down to the end customers. This could happen in several ways:
• The CISO role will grow and gain respect. C-suite leaders often appreciate the urgency of strategic security concerns when new tech — such as IoT and AI — emerges. But organizations that continue to rely on CIOs for their security strategies should be wary of the consequences associated with a single executive who tries to fill the jobs of two people. Consumers notice security risks too and aren’t backing away from concerns about their data. PwC found that 71% of consumers studied would stop doing business with a company for giving away their sensitive data without permission — and 69% said they believed companies were vulnerable to attacks. In response to the concerns of users, I expect that businesses will bow to the pressure and invest more in cybersecurity expertise and leadership.
• The CISO will become an enabler rather than a disabler. While some operations folks may roll their eyes at CISOs’ tendencies to slow down product development, emerging legislation will likely implement further protections for customer data. When smaller tech players become aware of the dangers of violating regulations like the European Union’s General Data Protection Regulation (GDPR), the consequences of noncompliance could become much more real. As more legislation emerges to define how organizations use and store sensitive data, I expect that CISOs will transition in people's minds to enablers — key consultants in the mandated security elements of development — rather than barriers to product launches.
• Enterprises will embrace CISOs’ teaching function. Employees can present a serious risk to the enterprise due to poor security practices, including by choosing easy-to-break passwords, clicking on malicious links in phishing emails and working on public Wi-Fi networks. In fact, Willis Towers Watson claims 66% of cyber breaches are caused by employee negligence or malfeasance. Two examples of this are the 2016 FDIC breach reportedly caused by an employee's personal storage device and a City of Calgary privacy breach that allegedly originated from an employee email. The CISO’s job should include developing and communicating security best practices for the workplace. If we witness employees of major companies harming their employers through a lack of security knowledge, I expect organizational leaders to embrace CISOs’ ability to teach safe and smart technology practices.
While the CISO role may not be as widely accepted as the CIO role yet, I believe cybersecurity risks necessitate a C-suite security position. Going forward, I predict profit-minded executives will increasingly understand that their customers and bottom lines can suffer if they don’t adequately prioritize security — creating new opportunities for CISOs to spread their wings in the enterprise.
