The role of the CISO has evolved from one as tactical IT professional, tasked with putting out cybersecurity fires, to that of a top-level executive pressing shoulders in the boardroom with others in the C-suite. CISOs are becoming more involved in crucial day-to-day business decisions.
Why is this? According to IDC's recent study, "The Changing Role Of The CISO," CISOs have become critical to an organization's success and profitability.
And as they say in the comic books, with great power comes great responsibility. CISOs are now asked to do more while also serving as sentries against cyberattacks.
Yet, CISOs still face challenges in getting equal treatment at the C-suite level. According to IDC's study, one of the biggest hurdles is that CIOs expect more in a CISO skill set. No longer is it sufficient for a CISO to know how to defend, detect and respond to cyberattacks -- they now need hardcore business acumen.
CISOs' New Responsibilities
"The CISO now has a bunch of different responsibilities, for one, compliance, they are responsible for working on the line of business [and] the CISO will also support the board of directors," said Frank Dickson, program vice president, cybersecurity products at IDC, at a session at Check Point's recently held CPX 2024 conference.
IDC's study also highlighted additional skills the successful CISO must acquire including customer support, a grasp of business strategy and architecture, leadership, risk management and compliance.
Several CISOs agreed.
"You shouldn't be a CISO if you aren't expected that going forward in the future, you are going to need to be engaged and actively interacting with customers," Dan Creed, Allegiant Air's CISO said at a roundtable discussion at CPX.
CISOs have "all had to develop that skill set so that we can make cybersecurity a business conversation and not just a technical conversation," Cindy Carter, Check Point Software Field CISO, said.
More Power, More Potential Problems
IDC's study also cited conflict with CIOs as another challenge for CISOs.
"CIOs are irritating the CISO, the CISO is irritating the CIO," Dickson said.
The goals of the CIO and the CISO are not always aligned and can cause tension between the two, according to IDC's study, which surveyed 847 IT decision-makers at the director level and above in 17 countries. Top sources of friction:
For CIOs:
- 21 percent said that security activities frequently cause disruptions, impacting IT operation
- 16 percent said security is challenged in integrating technology requirements to broader enterprise applications
- 10 percent said security makes too many unilateral technology choices
For CISOs:
- 20 percent said IT activities are frequently causing disruptions, impacting security operations
- 20 percent said IT is challenged in adhering to security's standards for its implementations
- 13 percent said IT makes too many unilateral technology choices
With burgeoning responsibilities, CISOs report another concern: liability. As they become a more integral part of the C-suite, some say they are held just as accountable for business mishaps as other executives.
"We now have as much risk from a liability standpoint as the CEO, the CFO do," Creed said. "The only big downside to that is we have the same accountability as them now," he added.
Still, during the discussion many of the CISOs said they embraced their heightened presence in the C-suite and that it helps them make their case for the security programs they need to implement.
"Our chairman of the board called me twice a couple of days ago just to chat," Creed said. The interaction establishes a relationship with the board, he said.
"You have to have that conversation with the board of, look, the reason you need to include me in board-level discussions around what our strategy is, is [that] every strategy, every business transformation that we have, has some kind of risk of IT security or risk people … Cybersecurity is business risk," he added.
For Carter, cybersecurity, "is no longer the redheaded stepchild of IT. We're also getting our own voice. I'm very optimistic about that."
