CISOs in the security industry hold a unique position: as security leaders, they have the influence and access to purchase products and make decisions that can drastically affect the security posture of an organization. They are also expected to fall on their sword in the event of a security incident going public.
But the role of the CISO is as diverse as it is dynamic, varying massively depending on the organization, and is a role that's constantly in flux. Here are three things that every CISO wishes you knew.
The CISO's Role Is Changing Before Our Eyes
When the need for a security leader first appeared, as computing and the use of the Internet became widespread, they represented something of an isolated figure. The role was viewed by other members of the business as a subject matter expert, there to put out fires and deal with security concerns in a self-contained manner. The less that other areas of the business heard from the CISO, the better.
In the 18 years I have been working in security, this relationship has changed drastically, in line with how security has evolved. Now it is common to see data breaches making headlines, affecting share prices, and causing high-profile board member resignations.
As such, we're starting to see a trend where CISOs report directly to the CEO in order to keep them informed of security concerns. This position moves security leaders out of the realms of a trusted subject-matter expert into a much more complex role within the business ecosystem: a risk adviser. This role can often make the CISO's job much more politically sensitive. For example, a CISO might have to report weaknesses or vulnerabilities, which would fall under the CIO's remit, and therefore have the potential to create friction at an executive level. This is why I think it's so important that the CISO has a direct and unfiltered line of communication to the CEO so that politics are left out of decisions that need to be made purely with risk prevention in mind.
In addition, by elevating the visibility and importance of a company's cybersecurity program, security practitioners are empowered to take responsibility not just for technology decisions (what's the best way to address a specific requirement) but also to problem solve to reduce risk and increase long-term performance and growth. Business controls, user policies, supplier assessments, all contribute to creating a best practices cybersecurity program that supports the entire business ecosystem.
CISOs Are Capable of Helping Other Areas of Business Function
The increasing importance of security to wider business concerns has provided CISOs with ample opportunity to help in other areas of the business. For example, the CISO can provide insight relative to best practices toassist customers with configuring their own security systems. This is especially important if the customer in question has not reached a level of maturity where they have a CISO of their own. This advisory role can be crucial in fostering, maintaining, and developing good working relationships with customers, and can even help to generate fresh streams of revenue for the business.
This is of particular importance to CISOs working at security companies: Being able to impart the technical knowledge of the product as both a practitioner and a salesperson can be invaluable. CISOs can also be extremely useful in the "soft power" they can offer their company, as company spokespeople, public spokespeople, and influencers.
Questions of Ethics and Technology Are More Important Than Ever
Although the role of the CISO has undertaken significant diversification in recent years, one facet of their role remains: CISOs are security practitioners, directly involved on the front lines of defending organizations from threat actors.
Considering this purist view of what a CISO does, it's of paramount importance that questions of ethics remain at the forefront of conversations around new and emerging technology. As the pace of technology development grows exponentially, we are provided with a plethora of new technologies to protect our corporate environments.
However, every new tool, defensive method, or technique developed by defensive security teams is also accessible to threat actors: Creating an artificial intelligence or a machine learning product to defend from threats will conversely provide black hats with the same technological opportunities for attack that we are provided for defense, elevating and escalating the battle even further. This is of particular concern when considering the extremely well-funded criminal and nation-state organizations, for whom cybercrime has become a key operational priority.
This possibility of reverse engineering needs to be considered during the development of these technologies, with industry and expert consultation, as well as regulatory frameworks in place. Technology does not have any morals, or allegiances, and can be deployed by anyone, regardless of their motives.
When I first started in security, only the smartest hackers would be able to get access to tools that would allow them to take advantage of systems or people. Now there's a whole underground economy and anyone can go buy a botnet or get some ransomware and leverage it. It's so accessible, and that's a really big issue. For security practitioners, this means that any decision to deploy innovative new technology, even if it appears to be the best tool for their needs, must also consider how hardened, or secure, this new solution is from reverse engineering by external attackers.
The issues of cybercrime are not going away and will become increasingly more important in the coming years. This means that the role of the CISO, or other technology leaders, needs to be elevated in accordance with the importance of the role. While the role of the CISO is one that is subject to almost constant change, ensuring that they have a voice within the business and the security community more widely will help ensure the position remains relevant. The CISO is still the person in the best position to protect enterprises and individuals alike from the ever-expanding threat landscape.