The tasks topping the CISO's to-do list are slowly shifting, as their core priorities transition from primarily technical expertise to securing business applications and processes.
It's the key takeaway from a new report, conducted by Enterprise Strategy Group (ESG) and commissioned by Spirent, on how CISO responsibilities are shifting as cybersecurity becomes more complex. Researchers polled 413 IT and security pros with knowledge of, or responsibility for, the planning, implementation, and/or operations of security policies and processes.
"There's a transition from a technology focus to a business focus," says Jon Oltsik, ESG senior principal analyst. "And that doesn't preclude the oversight of technology, but the technology is sort of guided by business initiatives, business applications, business goals, things like that."
About 80% of experts say security knowledge, skills, operations, and management are more difficult now compared with two years ago. They attribute the complexity to growth in the number and sophistication of malware, IT projects, targeted attacks, and connected devices.
Nearly all (96% of) respondents say the CISO's role has expanded, and the primary driver of their prominence is increasing difficulty of protecting enterprise data. Nearly 80% point to malware as the primary reason, and many claim between 80-90% of malware attacks target a single device, and 50-60% of malicious Web domains are active for one hour or less.
Organizations are increasingly digital and cyberattackers are taking precise aim to poke holes in their defenses. Oltsik calls it "death by a thousand cuts". CISOs have seen breaches and regulations increase as more people realize the business is driven by tech. "Regardless of what business you're in or process you're talking about, there's an IT underpinning," he notes.
CISOs are becoming part of more board-level discussions to prevent breaches.
"There's a real shift from reactivity to proactivity," says Oltsik. In the past, companies built their defenses and hoped nothing bad would happen. When something eventually did happen, their responses were poorly organized, inefficient, and took a long time to put into practice. What's more, responses were tech-oriented – not business oriented. The answer to compromise was "let's fix the system" and not, "how do we fix the business," he explains. Now, this has changed.
The CISO's Growing To-Do List
How the CISO's responsibilities change depends on the size of the organization, he continues. In a smaller organization they'll be more involved with technology; less so in a larger enterprise.
"They're being asked to participate in board-level meetings, business planning meetings," Oltsik says of CISOs who manage within larger organizations. Especially in larger companies, the CISO is moving more toward business skills and away from technical skills.
Business leaders used to ask the CISO what controls they needed; now they want security embedded in business planning and application development. "You want security expertise in the operations groups, you want that in development groups, you want that in each component of operations, including the cloud," he adds.
CISOs also have a responsibility to convey security data to business professionals, adds Amie Christianson, director of Operations Application Security at Spirent. High-level executive summaries help board members understand the threats affecting their business.
She uses a medical example. "When I get my lab results, I want to see at a high level what they are, and am I within a certain range," she explains. "And that gives me peace of mind." A doctor might see more details and act differently on the data, but a summary tells her everything she needs to know about her health. The same applies for CISOs and security summaries.
More Projects, More Problems
The increase in corporate IT projects is the second-biggest driver of complexity, researchers found, and projects related to IoT and cloud make security a greater challenge. Oltsik says he's seeing more digital transformation applications, more IoT apps, more social media use, and greater reliance on mobile devices and applications.
Business processes and initiatives "are happening at a faster pace than they did in the past; they're being done in an agile manner," he continues. Applications have gone from six-month release cycles to multiple releases per day, and all of that affects security. Security teams used to plan for risk assessments and controls every few months; now, it's every day.
When they face a new project, CISOs who have responsibility from the get-go can address security at the beginning and continuously test it throughout development. Most (86% of) respondents agree integrating security in project planning can lessen the likelihood of a breach, and 79% agree businesses should more frequently test security controls.
As security budgets continue to grow – and researchers found they will among 92% of respondents – businesses are shifting their spending from point tools to more integrated architectures. Professional and managed services are becoming popular as CISOs realize they lack the staff to handle the many security tasks they're assigned.
As for outsourcing, "pedestrian areas" like email security and Web security are the first to leave the business, says Oltsik. While these are the most frequently outsourced, he says he's beginning to explore the implications of using outside firms for threat detection and response.
Ultimately, he anticipates, we'll see the role of the CISO split in two: a chief business security officer, who focuses on the enterprise, and a chief technical security officer who focuses on the systems. Christianson agrees: as security becomes part of the risk conversation, the business-focused CISO will be required to communicate with risk and compliance officers.
Black Hat Europe returns to London Dec 3-6 2018 with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio