The CISO of tomorrow

It’s one of the most stressful jobs in security thanks to an ever-expanding array of technologies, compliance requirements and threats but the responsibilities of the CISO could be about to change. Jamal Elmellas, COO at Focus-on-Security, looks at the skillsets you’ll need to succeed.


This is a contributed article by Jamal Elmellas, Chief Operating Officer at Focus-on-Security.

The rise of security up the corporate agenda has seen the CISO gain a higher profile but it’s a role that could be about to change. According to Gartner, cybersecurity leaders are losing control due to the distributed ecosystem, the pressure to monitor proliferating network connections, and technically savvy employees who are now more confident about making decisions without consulting security leaders.

So where does this leave the CISO and what is their remit likely to be in this brave new world?

The CISO traditionally focused on technical implementations and protecting the business from attack. They’d answer to the CIO but otherwise have little involvement at board level. Now the CISO is very much part of the conversation and is often on a level footing with the CIO. But the changes identified by Gartner suggest oversight is being lost, making it difficult to control risk.

Security scapegoat

Lack of visibility was identified as the number one pain point for the CISO by Verizon in its report back in 2020 due to the expansion of IT infrastructure and the compliance environment. It deduced that CISOs are commonly the focal point for all data and cybersecurity questions from the board of directors, shareholders, auditors, regulators and media but that they also tend to become scapegoats when things go wrong.  

A report on CISO stress published around the same time found 88% were under moderate to high stress. As a result, the average tenureship is just 26 months, leading to rapid turnover that makes it extremely unlikely the CISO can affect any real change given that security plans take 3, 5 or even 10 years to come to fruition.

Reinventing the role

The solution to these problems is for the CISO to step back in order to regain oversight and for that to happen they need to be able to “designate responsibility, authority and capability”, suggests Verizon. It’s this principle that Gartner has run with, reframing the CISO from breach preventer to a facilitator of risk management that educates the C-suite and measures and articulates risk.

Interestingly, Gartner goes on to predict this will also see a shift in accountability from the CISO to business leaders once they are sufficiently equipped to make informed risk decisions. It anticipates that in four years’ time, at least half of C-level execs will have performance related cybersecurity goals inked within their employment contracts which may then become part of their performance-related pay.

In many respects this promises to elevate the CISO out of the mire as they will no longer forced to firefight but can affect real and lasting change. But it will radically change the remit as most CISOs come from a technological rather than a strategic background and so are more comfortable with a practical rather than a strategic hands-off approach. They’ve typically risen through the ranks having cut their teeth in network security, threat detection or compliance management, for example.

Future skillsets

Going forward, CISOs will still need to identify, prioritise and define security controls but they’ll also have to align any security strategy with the business strategy. It will be their role to drive understanding and ownership of these controls among senior management so that they can take more responsibility. They’ll also need to help HR blend cybersecurity KPIs into employment agreements.

Ambitious cyber security professionals who aspire to be the CISOs of tomorrow will need to widen their skillsets. Today they’d be expected to have an IT degree, possibly a Masters, certifications such as CISSP and approximately a decade of experience, as well as in-depth knowledge of security technologies and compliance regulations but there’s undoubtedly going to be more emphasis on business management in the future.

Leadership skills have always been an important part of the mix but they’ll become crucial, bringing soft skills such as communication, problem solving and decision making to the fore. They’ll have to be far more adept at setting objectives and designing and implement security operating models. Finally, they’ll need to be politically astute and sensitive to the need to formulate cybersecurity policy that acknowledges the company’s Corporate Social Responsibility (CSR) to protect its data, employees and customers.

Job descriptions

It will be interesting to see how these predictions align with the Career Pathways Framework currently being developed by the UK Cyber Security Council. This aims to create a Register of Practitioners, similar to that seen the medical and legal professions, to recognise ethical, highly qualified and senior security practitioners and is expected to see roles become more clearly defined with detailed job descriptions.

It’s a welcome step, particularly as the current shortage of cyber security talent is seeing job descriptions vary wildly. Some are even asking for CISOs with penetration testing experience, as businesses seek to cover multiple responsibilities in a single hire. As a result, CISO roles that typically took 3-6 months to fill are now taking much longer.

What is clear is that change is needed and will have to come from some quarter. Without it, the role lacks clarity and as business networks evolve and threats with them, the pressure will continue to mount, ultimately making the position untenable in its current form.

Jamal Elmellas is Chief Operating Officer for Focus-on-Security, the cyber security recruitment agency, where he oversees selection and recruitment services. He previously founded and was CTO of a successful security consultancy where he delivered secure ICT services for government and private sector organisations. Elmellas has almost 20 years’ experience in the field and is an ex CLAS consultant, Cisco and Checkpoint certified practitioner.