The CISO Role Undergoes a Major Evolution

COMMENTARY

We are in a time of major evolution for the chief information security officer. Where things once felt cut and dry, the roles and responsibilities of a CISO now feel like a moving target — and it's essential that cybersecurity industry leaders start to nail those responsibilities down or face the consequences.

When CISOs are hired, they're often described as being responsible for implementing effective security, information security, and risk management frameworks at their organizations. But in light of the Securities and Exchange Commission (SEC) charges against the SolarWinds CISO, some might say the CISO the job description should include "Fall guy in the face of a cyber incident."

The precedent set by this case around personal legal responsibility has created a deterrent for the CISO role at public companies. With this new responsibility top of mind, it's a good time to talk about what it takes to be a good CISO — and where the job goes beyond the description.

Understand the Implications of the SolarWinds Case

The SEC's charges are a step in the right direction, as fines have proven to be ineffective at ensuring companies stay on track with their cybersecurity. But while the SEC is doing the right thing, it's not necessarily doing it in the right way.

Creating more accountability is a critical move, but the current path we are on rests that responsibility heavily on CISOs, who often oversee these activities but may not have the right amount of control to truly run them. Fear of this backlash has CISOs on edge. For example, Clorox's CISO is leaving the company as it recovers from a major cyberattack in December.

To avoid the outcome of the SolarWinds case is to learn from the SolarWinds case. Often, CISOs are removed from the finer points of cybersecurity operations. At a high level, they advocate for and push forward the organization's cybersecurity agenda. But they cannot simply provide final signoff on large decisions — they must stay informed on the threat landscape and continually collaborate with individual security teams within their organization. As the overseer for implementing effective security, that really means a CISO needs to be involved every step of the way. No stone should be left unturned, and no vulnerability should be a matter of oversight.

Ensure You're Working at a High-Integrity Organization

Along with control comes the matter of having a strong team surrounding the CISO. As global cyber incidents continue to spike, and disclosure and privacy regulations evolve, there's an increasing need to ensure that security, compliance, and risk management functions are in lockstep.

This means CISOs must be in constant communication with legal, compliance, and senior business partners at their organizations. As defined in their roles, CISOs often report to their chief legal and compliance officer, and these should be colleagues and partners they can trust implicitly. If anything feels shady or that trust is not in place, CISOs should take that as a sign to walk away.

With many fears around accountability swirling, we likely will see an increased number of whistleblowers in the next year around unsafe cybersecurity practices as a way to minimize personal risk and avoid potential criminal charges, pending a security incident occurring as a result of unsafe practices. As it stands, this puts CISOs in an uncomfortable position. A CISO at a high-integrity workplace will not have concerns about these kinds of leaks, but a CISO elsewhere should be worried.

Anticipate That the Rules of Accountability Can Change at Any Time

While a job description can't account for everything, a key skill for CISOs is to remain forward-looking and to understand where the industry may be headed. Accountability right now is being placed heavily on the shoulders of CISOs, but we may soon see this umbrella of responsibility get wider.

The Cybersecurity and Infrastructure Security Agency's (CISA's) Draft Secure Software Development Attestation Form is putting CEOs and COOs in the line of fire, and this initiative may continue beyond software. Though software producers likely will push back on this, claiming these roles have too abstracted an understanding of cybersecurity, it does signal a concerted effort by regulatory bodies to push responsibility to the very top.

For now, CISOs are taking the fall, but next year, it could be CEOs. Cybersecurity has become a discussion point at the C-suite and board levels, but these industry shifts may give CISOs the boost they need to make it the top priority in business discussions and avoid any individual liability.

Know That Being Always On Is Part of the Role

While a CISO can't predict every cyberattack, they can — and should — do everything in their power to be prepared for one. It is no longer enough to remain compliant and call it a day; CISOs must be more involved and proactive, looking to always understand new risks and global conflicts that can impact their organization's security posture. The best way to start is to dig deep into the job description and ensure every box is checked, every task is accounted for, and every team member is trustworthy.

A CISO is not a figurehead but an essential decision-maker regarding every security matter at an organization. With today's major focus on accountability, it is essential that companies take this time to get aligned on all things cybersecurity for a potential future where every C-suite leader needs to play a role.