I’ve spent a good amount of time speaking with CISOs over the past month and plan to write up a report about what I’m learning sometime after the RSA Security Conference. In the meantime, it’s become crystal clear to me that CISOs are becoming more and more proactive in their jobs in a few areas including:
- Threat intelligence. In the distant past, most organizations really didn’t believe they were potential targets for cyber-attacks. Yes, CISOs were responsible for building adequate defenses, but this job was seen as a purely technical endeavor. At that time, hackers were hackers – outside of Ft. Mead, few cybersecurity pros distinguished between cyber-criminals and state sponsored actors. This attitude changed over the past few years as executives witnessed an increasing number of publicly disclosed data breaches. When data breaches occurred, CEOs quickly phoned up the CISO to ask what happened and whether their organization was at risk. More recently, CISOs have taken risk oversight to the next level by actively monitoring threat intelligence to better understand cyber-adversaries and their tactics, techniques, and procedures (TTPs). A CISO I spoke with stated, “I’ve really embraced the Sun Tzu quote, ‘if you know your enemy and know yourself, you need not fear the results of a hundred battles.’ My day begins by studying threat intelligence to better understand who is attacking us and why. I use this knowledge to educate the board and get them more involved in risk mitigation.”
- Privacy. While privacy is closely related to security, it’s been little more than a side project for many CISOs in the past. Given the focus on GDPR (and other regulations) this is changing, however. Now, data privacy is evolving from a legal matter to an applied initiative. As one CISO put it, “With GDPR, the legal team needed help to operationalize privacy. This brought more and more responsibility to CISOs since we specialize in operationalizing policy.” This means that CISOs are spending more time working with business units to discover, classify, safeguard, and monitor sensitive data.
- Business initiatives. As my colleague Doug Cahill likes to say, ‘security is moving to the left.’ In other words, organizations are building security into applications and infrastructure rather than bolting it on afterward. CISOs are at the tip of the spear here, becoming more involved in business planning and strategy. One CISO talked about this change as it applied to cloud computing: “Once the organization decided to move aggressively toward cloud computing, I tasked the security team with designing, testing, and building a cloud security platform that could support any future decisions on hybrid cloud technologies. Our goal was to align with and enable the business for the long-term.” CISOs are taking similar active roles with IoT applications, digital transformation initiatives, etc.
As part of our annual research project, ESG and the Information Systems Security Association (ISSA) asked 343 cybersecurity professionals to identify the most important qualities of a successful CISO. More than half (52%) said leadership skills, 43% said communications skills, and 35% said a strong relationship with business executives. Clearly, they will need these types of skills as they address changing job responsibilities and evolve from reactive to proactive CISOs.
More on my CISO research soon!