Earlier, security was considered the lock on the door, but today it has emerged. Today, most organisations are on a digital journey, COVID-19 pandemic has made digital transformation an even more urgent need, and companies are also expected to keep up with the speed of emerging technologies. It’s a process of continuous learning and pivoting to adapt to an evolving competitive landscape. As a result, the responsibility of a CISO has risen above. Understanding the evolving role of CISOs and their responsibilities is important.
The evolving role of CISO
In pre-2000, CISOs were always behind the table, as security experts, putting in anti-virus, tuning firewalls, and ensuring the device’s functioning and protection. Then came an age where there were a lot of regulatory compliances in 2004, and the security personnel were asked to wear that hat and start doing regulatory appliances.
Soon after, came the cloud journey and social media. Suddenly security needed to take care of it and make sure the advanced technology was accessible to all, and again CISOs were expected to work over the above-mentioned roles, which were evolving the role of CISOs in all enterprises.
Expectations of CISOs are increasing in all aspects of the role, including policy development, review of technology controls, governance, and board reporting, influencing the cyber risk culture of business, and prioritising budget allocations based on business objectives.
The Age of CISOs
The last two years have been a boon for the IT sector, cybersecurity being a highly dynamic field. The need for rapid, experiential decision-making, organised thinking, and the ability to strategically communicate to a non-security audience is almost second nature to many CISOs, and with that, the major role of the CISO community is growing in size and scope as business demands intensify.
The role of the CISO is evolving faster than ever and is becoming the jack of all security and business trades. The CISO has evolved from a ‘business protector’ to a business leader today. Many strategies on how the CISO can be empowered and be on the mandatory boards of organisations are being planned.
As the role continues to evolve, so do the business knowledge and good communication skills, the CISOs are expected to re-architect security to meet current business needs, focus on network security, Multi-Factor Authentication (MFA) & Privilege Access Control, third-party security, be effective influencers, stress navigators, workforce architects, and future-risk managers.
Four facets of an effective CISO
To develop as a successful CISO and build a secure technology architecture, a certain set of skills is important:
Effective influencer
-Make it a point to regularly interact with executives outside of corporate IT. Recognise the influence of non-IT executives on the effectiveness of security functions. Seek to nurture a meaningful relationship with these executives outside of the individual project.
-Align with non-IT executives on risk appetites and influence enterprise-level decisions.
-Align with non-IT executives to reduce risk appetites and influence enterprise-level decisions.
-By clarifying information risk trade-offs.
Future risk manager
-Position information risk management as an accelerator of emerging technology adoption in the organisation.
-Inform senior decision-makers of new security norms and technologies.
-Make senior decision-makers aware of future risks.
-Develop automation strategies to prepare the organisation
Workforce architect
Have a future-focused talent strategy to meet the rising skill needs of the enterprise.
Increase the output and effectiveness of their existing staff by:
-Upskilling cybersecurity staff on business competencies.
Leveraging non-cybersecurity staff creatively.
-Developing a formal, actionable CISO succession plan.
Stress navigator
View their well being as a critical performance driver.
-Maintain rigid boundaries between their working hours and their personal time.
-Proactively manage their calendars.
-Define their responsibilities from the onset of their work.
-Routinely evaluate whether the projects they are involving themselves in are within scope.
Compiled by Sunidhi Malla
(These are some edited excerpts from Mansi Thapar, Global Head – Cybersecurity, Apollo Tyres address on ‘The Evolving Role of the CISO’ at the Information Security Conclave ’23).