Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:30 AM
Todd Fitzgerald
Todd Fitzgerald
Connect Directly
E-Mail vvv

The 5 Stages of CISO Success, Past & Future

In cybersecurity, as in history, security leaders who forget the lessons of the past will be doomed to repeat them.

The chief information security officer (CISO) role may seem relatively new to those who work in organizations hiring their first or second CISO. However, it has been almost 25 years since Steve Katz was hired as the first CISO at Citibank. While few organizations would argue today that an organization does not need someone accountable for the cybersecurity program, the role is quite varied across organizations.

The position may exist at an executive level (i.e., executive or senior vice president role), a middle management role (director/manager) or may be an individual role combined with other system administration activities in a small organization. Whatever the level, to quote Harry Truman, what CISOs should know to be successful today is that the only thing new in the world is the history you don't know.”

I believe the past teaches us that there are five distinct stages of CISO evolution that lead to a cybersecurity success story. Each stage had a different focus based upon the events at the time, as shown in the following diagram.

Graphic Source: Todd Fitzgerald
Graphic Source: Todd Fitzgerald

CISO Phase 1: The Limited Security Phase (Pre-2000)
Organizations secured their assets during this phase, but without the level of management and board of director awareness we have today. The function was typically buried in the data center and the main function was to provide logon access and authorization to files. As such, the function was primarily a technically oriented function.

2019 CISO Advisory: Technical skills are still necessary, but not sufficient for CISO success. Emphasis should be on breadth of technical knowledge across the entire infrastructure versus depth in a specific technology.

CISO Phase 2: Regulatory Compliance (2000–2004)
This phase saw the passage of a plethora of new laws addressing privacy and security in the healthcare, government, and financial sectors. It was during this period that the requirement for an "information security officer," commonly referred to today as the CISO, came into being for many organizations. Connectivity to the Internet and mainstream awareness of data breaches were occurring. Company resources were mobilized to "check the box" for security compliance, typically adhering to a set of controls defined by ISO27001/2 or COBIT.

2019 CISO Advisory: The laws are ever-changing, and the CISO needs to be aware of laws affecting the organization, as well as the differences between the controls necessary to be compliant with each law. Successful CISOs will consolidate these requirements and tie implementation projects to satisfy multiple laws to reduce organizational change management disruption.

CISO Phase 3: Risk-Oriented CISO (2004–2008)
The "check-the-box" compliance phase did not live up to expectations because organizations could not afford to secure all the information equally. The movement to a risk-based approach facilitated allocation of funds to more critical assets and a better use of people, process, and technology. This also provided an inroad to corporate risk management and enabled a conversation of information security risk along with other organizational risks.

2019 CISO Advisory: CISOs must always look at controls in terms of probability and impact, recognizing the organization can choose to accept, mitigate, transfer, or avoid the risk. These risk strategies must be clearly defined and explicitly approved by management.

CISO Phase 4: Socially Mobile Cloud-Enabled Threat Aware CISO (2008–2016)
Just when the CISO was getting a handle on risk, new technologies were implemented, such as the introduction of social media on a mass scale, a smartphone in every pocket, consumerization of technology, and migration to the cloud. All of this happened in less than a decade, and the CISO had to adjust. The CISO could not say, "No, this technology is too risky."

2019 CISO Advisory: The technical environment today will substantially change within the next five to 10 years. Artificial intelligence, the Internet of Things, managed security service provider outsourcing, machine learning, quantum computing, blockchain, mobile applications, managing third-party vendor relationships, and different methods of managing these components will emerge, and the CISO will need to stay ahead of the curve to adapt. Always.

CISO Phase 5: Privacy and the Data-Aware CISO (2016–2020s)
Several major incidents involving the use of personal information for social media purposes beyond the expectations of individuals has given rise to an increased focus on privacy. The General Data Protection Regulation (GDPR), effective May 2018, also increased the visibility of data protection through the introduction of substantial fines as much as 4% of annual turnover (revenue). Organizations, until now, typically have been deficient in the management and retention of unstructured data as well as business ownership and access to the structured information within the organization.

2019 CISO Advisory: The CISO must have knowledge of the critical information assets, or crown jewels: where they are kept, for what purpose, and for how long. The CISO should become as knowledgeable in privacy laws and concepts as much as being knowledgeable of security practices. The CISO must know where the data is, how it flows through the organization, and how it is being secured. In the event of a breach, this information becomes crucial for the incident response teams.

We still have a long way to go to educate members of the workforce with their own roles with respect to cybersecurity. As indicated in recent culture of cybersecurity research from ISACA and CMMI Institute, only 34% of employees, outside of the security team, adequately understand their role in the organization's desired cybersecurity culture.

Bottom line, in 2019 the CISO who understands the breadth of technology used and desired by the organization, complies with the regulations via control frameworks, assesses information asset risk, expands security beyond the organization (such as cloud, mobile, social media, threat intelligence networking), and knows how the privacy regulations affect the organization (where the data is, how it is being used, and how it is being protected) will be the CISOs in demand by their organization and others.

Author’s note: This evolution to CISO and the implications, along with an insightful interview with the first CISO, Steve Katz, are detailed in the author's newly released 2019 book, CISO COMPASS: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers.

Related Content:

Todd Fitzgerald has built and led information Fortune 500/large company security programs for 20 years. He was named 2016–17 Chicago CISO of the Year, ranked Top 50 Information Security Executive, authored four books  —   CISO Compass: Navigating ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Moderator
2/19/2019 | 2:33:16 AM
Is it extra or necessary?
It is true that we often think lightly of things that we are not aware of. If a particular position isn't something that is familiar within the organisation that we work in, we might perceive it as unnecessary. Little do we know that other firms have actually been hiring one in order to ensure everything is in order. So are they just doing something extra or are we really the party who is missing out on something?
User Rank: Moderator
2/20/2019 | 3:50:03 AM
Defend and protect!
I'm sure that the requirements are going to continue to change across the ages. What is more important is that the CISO has relevant knowledge and experience to deal with exceptions as they happen. I reckon that crisis handling would be one of the top priorities that they would have to know how to handle, above and beyond preventative measures for their company!
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS Build 20210202 and later Q...
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...
PUBLISHED: 2021-04-16
jose-node-cjs-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...
PUBLISHED: 2021-04-16
Portofino is an open source web development framework. Portofino before version 5.2.1 did not properly verify the signature of JSON Web Tokens. This allows forging a valid JWT. The issue will be patched in the upcoming 5.2.1 release.