It would be inaccurate to say that CISO's roles are beginning to shift, since our responsibilities have always been a work in progress. We’re responsible for maintaining the cybersecurity or truly the defense of the organization, of course, but even this description requires some examination. To explore how the CISO's role is evolving, let’s begin by taking a look at where we were a decade ago.
The CISO as scapegoat
Almost ten years ago, Tech Monitor, an industry magazine, published an article titled Are CISOs companies’ data breach scapegoats? In that article, they cited a study claiming 75% of CISOs weren’t viewed as part of their organization’s leadership team. Furthermore, 44% of those surveyed would blame the CISO for a data breach. In fact, there were even memes at the time which joked that CISO actually stood for Chief Impending Sacrificial Officer, meaning they were kept around specifically to serve as scapegoats.
Given that climate, it was understandable if some CISOs felt their job was to take the blame for successful cyberattacks. This feeling was compounded when teams were short-staffed, underfunded, and ostracized from meaningful discussions with leadership. There is still debate today over where the CISO should sit in the organization. Do they belong under the CIO? Above the CIO? Totally outside the IT organization?
Feeling like an outsider occupying a doomed position can lead to a pessimistic view of one’s career that occasionally resurfaces in modern conversations. The prosecution of Uber CISO Joe Sullivan and the SEC warning Tim Brown of SolarWinds recently fueled such discussions. It is not surprising, given these origins, that more than half of CISOs fear a data breach will end their employment.
The CISO as educator
Lately, there has been an industry-wide focus on the role of CISOs as educators, guiding their peers and the board of directors. As more governments consider sweeping cybersecurity regulations, organizational leadership are looking to CISOs for answers. This is a welcome shift from where our role was ten years ago, but it also requires a new skill set. Staying on top of the latest cybersecurity developments is challenging. Predicting the legal and financial implications of various existing and proposed cybersecurity legislation can be absolutely mind-bending.
Some big-name regulations like GDPR are well known and relatively straightforward to address. However, several US agencies are working on new mandates. Most notably, the SEC has finally signed off on their cybersecurity disclosure rules for public companies. These rules govern when, how, and under what circumstances a material cybersecurity breach must be disclosed to the public. The Cybersecurity and Infrastructure Security Agency (CISA) is currently considering regulations they must implement under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). There is also a steady stream of lesser-known actions including a Federal ban on commercial spyware, new rules for the aviation industry, and a rating system for IoT/OT devices.
These are a few recent examples from the US Federal government, but there are also international, state, and local regulations to consider. Trying to ensure your organization’s cybersecurity posture complies with these regulatory environments could be its own full-time job.
Many recent regulations only apply to government agencies, but this does not mean they have no impact on the private sector. When the government adopts a regulation for themselves, they often reject partnerships with any organization that does not meet the same standard. In this sense, businesses seeking government contracts are also governed by cybersecurity regulations that affect the public sector.
The CISO as sales rep
A recent article in SC Media cited a study claiming “84% of CISOs have been dragged into sales-related engagements.” These engagements allow CISOs to demonstrate the security of their applications, services, or products to potential clients. As buyers worldwide focus more attention on cybersecurity, CISOs are becoming public spokespeople for their organizations' brands.
This is great news, as it shows CISOs are gaining the respect of their peers in areas beyond the narrow scope of cybersecurity. The article claims we’re being dragged into engagements, but we should be running to them, hopping and skipping. It shows we are executives in an organization that wants our input as part of their decision-making process. It proves that we’ve moved from viewing things as security and the business to embracing security in the business.
Yet, this shift is causing some friction within the CISO community. Some still view our role as exclusively security-focused, while others believe it is crucial for CISOs to be part of business enablement. This growing rift was evident in a LinkedIn post by Malcolm Harkins, former CISO of Intel. He recounts a conversation that happened shortly after he assumed a new role at Cylance and attended a large CISO summit. At the event, he was questioned by a peer about “how it felt to be a vendor.” This comment implied that real CISOs focus on security, while vendor-associated ones are concerned about sales and marketing metrics.
Personally, I’ve had someone ask me how it felt to join the "dark side," which is how some enterprise CISOs see vendors. This is horrible. We're fighting on the same side. Cybercriminals are the dark side, not vendors or vendors' CISOs.
This conversation highlights two distinct lines of thought concerning the role of the modern CISO. One side may argue that threat actors and hostile nation states aren’t dividing their top cyber talent into a myriad of non-security roles. They might ask “How can your security posture withstand attacks from dedicated specialists as you focus on non-technical issues?” The other side would highlight the role of a CISO as an executive. They may respond that their responsibility to help the rest of the C-suite move the ball forward is as important as keeping the enterprise secure. Both tasks are vital to the survival and prosperity of the organization.
Wherever you fall along this spectrum of opinions, it is clear that the role of CISO remains a dynamic one. The recent SEC rulings create a need for companies to find directors with cybersecurity expertise for their board. If a CISO cannot talk and think business, they have little to no chance of ever landing on a board. This too is helping to positively drive the evolution of the role of CISO.
We were forged in a time when organizations needed someone to be responsible for all of that IT security stuff. As technology evolved and became central to business success, so have we. This job has always required people who are flexible, adaptable, and passionate about security. Today’s challenges are no exception, and demand no less.
What to read next