Fleeting strategic importance? 2016, the year of the CISO

In the old days – if anyone had heard of the Chief Information Security Officer (CISO) at all – it was a bit of a dull, forgotten technical role that reported into IT and nobody else took much notice of.

Now, as “business transformation” and “digital transformation” are the subject of every senior-level talk going – and security has really hit the headlines – the CISO is suddenly extremely important indeed within the business. And so, we take a look at the rise of the CISO in 2016… and whether this prominence can really last.

The rise of the CISO

Pravin Kothari, CEO and founder of CipherCloud believes “CISOs are on the rise” along with security budgets, particularly inside large enterprises. He points out that since 2014, Target, Neiman Marcus and Home Depot are among the companies that have appointed their first CISOs.

Not everyone totally agrees with this though. “There hasn’t necessarily been an increase in the number of companies hiring CISOs,” suggests Daniel King, cybersecurity consultant at ReThink Recruitment “but there has been a significant growth in CISO’s budgets.”

The core view of most of the experts we spoke to was that, while it is not clear if there is a higher number of CISOs now, these individuals are definitely gaining a stronger position within the business.

“Increased awareness of information risk has led organisations to create executive-level roles over information security and to move the reporting line of the head of information security to a higher level within the organisation—often only one to two steps from the CEO,” says Jeremy Bergsman, a practice leader at CEB.

“In my opinion the CISO role is becoming more business-oriented and transcending the IT part of the organisation,” says Adrian Crawley, regional director of Radware. He adds, the CISO is now at least a peer with the CIO or CFO.

While Michael Sutton, a CISO himself at Zscaler agrees: “CISOs are gaining a much more prominent role in most organisations. They are no longer serving a back-office function hidden behind the scenes. They are now expected to address the board to explain the proactive steps that they are taking to prevent their company making headlines after a data breach.”

The new role of the CISO

So, what to CISOs now do? “CISOs in companies just formalising the information security function need to be great communicators and salespeople,” says Bergsman. “Their role is essentially to explain to senior and middle management why information security is part of everyone’s job and convince them to do their part, even when it may slow them down or cost them extra money.”

“CISOs with more established information security functions require a very different set of skills [however],” he adds. “Their most important activity is talent management—ensuring that security staff are ready for [ongoing] challenges. They also need to be visionary leaders who can see the direction of their business and the threat environment in order to anticipate the future security needs of the organisation and inspire business leaders, the board of directors, and their own teams to move there.”

“Today, successful CISOs must go beyond technical knowledge,” suggests Gerard Bauer, VP EMEA of Vectra Networks. “They must be able to translate technical security decisions into business speak. The role of the security team should transition from the department of ‘yes/no’ to the department of ‘monitor, manage and adapt’.” 

“With the consumerisation of IT, it is no longer realistic for the networking or security departments to block access to resources without offering alternatives,” says Sutton, CISO at Zscaler “CISOs should take note of employee behaviour, identify their needs and seek to provide solutions that empower users in a way that is acceptable within the confines of overall corporate risk.”

“The skill set is very broad and crosses multiple disciplines,” adds Vickie Miller, CISO at FICO “A grasp of all facets of technology, knowledge of all compliance and data regulations with an expert level in harmonising all of those controls into a coherent  set of policies and standards. At the same time the CISO needs to understand how his or her company makes money, how to negotiate for resources and funding, how to lead crisis communications.”

“From my experience there are many core traits shared by almost all CISOs, not least the ability to battle for a safer company environment whilst also being able to carefully manage tight budgets,” says King, who weighs in from the recruitment perspective.  

When it comes to hiring for the role, he says “at the moment, the biggest challenge is probably related to salaries and employment packages. Thankfully, more firms are starting to recognise the level of security that they actually need and are looking to take on people in these roles.”

The challenge for CISOs

“Most companies have two misunderstandings about the CISO role that leads to mistakes in hiring,” says Bergsman of CEB. “Firstly they consider the CISO role to be a technical role when often the job requirements have very little to do with technical knowledge.”

“Secondly, they believe that it is the responsibility of the CISO and the information security function to find and mitigate information risk. We have seen many CISOs hired, often in a hurry after a breach, who fail to gain traction [i.e., the necessary buy-in from senior management] and leave the organisation in less than a year.”

“The main challenge is convincing senior managers about the importance of online security and protecting a company’s data,” agrees King. “I have numerous conversations with CISOs reporting that their leaders don’t understand how vulnerable their systems are and what could happen in the coming months if they didn’t get the support they need.”

On a more pragmatic job level Bauer of Vectra Networks says: “The CISO’s challenge is to put in place the capabilities that close this gap by identifying the activities of the attacker inside a network before a data breach occurs but without impending business operations.”

“Security is often viewed as a cost centre and one that doesn’t help to drive the business,” adds Sutton. “This is an opportunity for progressive CISOs that can successfully eliminate this perception by empowering employees while reducing risk and cost by leveraging cutting edge solutions.”

What next for IT and CISOs

It is clear that the CISO’s role is in a state of transition. At present, like many activities associated with IT transformation a lot of the CISO’s function comes down to getting senior buy-in on security. Yet this won’t be an issue for ever. And so, over the coming years, this role is likely to develop further.

“There is a rapidly increasing number of activities that might be managed by different people within the organisation,” says Bergsman. He points to IT security, information security, information risk management, IT risk, data privacy, records management, data governance and says “assigning all these activities reflexively to a CISO reporting to the CIO is not likely to be the best solution.”

This is an important point, because as the role of IT mushrooms things are only set to get more complicated. “We believe the most common path in the next three to five years will comprise of three separate roles,” continues Bergsman.

He believes these are likely to be “IT security operations” which will be housed within the infrastructure function of IT. “IT risk management” a small group housed within the office of the CIO. And an “information governance and risk management function” reporting to the Chief Risk Officer or General Counsel, depending on the company’s business model.

If this is correct, maybe the big, important role of CISO really is only a temporary thing. And while 2016 may be the year for this function… by 2018 it will be over.


« What will be the single biggest security threat of 2016?


Crowdsourcing Innovation 2015: What happened next? »


Do you think your smartphone is making you a workaholic?