Role of the Modern CISO Matures
By Gary Hayslip, Deputy Director, CISO, City of San Diego
Ten years ago, as a network architect managing my organization’s network teams, I was surprised one day when my organization’s CIO walked in and said “You are our new Information Security Officer in charge of both network and cybersecurity.” At that time, as the new CISO for my organization, there was no big difference in how I performed my job. My job was all technical, I managed my teams, and kept software and hardware updated. As the new CISO I never spoke with executive management, I had some control of security projects, and I had very little input into my budget.
“The CISO is the key member to reduce risk to their organization and ensure ‘Operational Resilience’”
Fast forward to today and the landscape that today’s CISOs operate in and the role they fill has fundamentally changed. In today’s role as a CISO, one finds that not only must CISOs understand the technical side of cyber security; they must equally understand enterprise risk management and how both disciplines impact their organization’s ability to successfully conduct business. In today’s dynamic environment, companies that lead their industries are now recognizing that cyber security is a board-room priority. These companies have now come to the realization that through their CISO they can become “Operationally Resilient.” Through their CISO they can respond and quickly recover from cyber incidents. Companies without a CISO, however, lack the primary individual within the organization who can provide them insight into its exposure to risks from today’s long list of security threats. Without a CISO, companies limit themselves from being able to recover fully from a cyber-incident without great cost and potentially open themselves to legal repercussions that may have long lasting effects on their ability to operate.
With this new role in mind, the challenges of today’s CISO have also exponentially changed due to the explosion of new technologies and a dynamically-changing threat landscape. Due to these new technologies, many CISOs are now finding the perimeters of their organizations have dissolved as their companies employ solutions such as BYOD, Cloud, and Mobile Devices. This dissolution of perimeters has resulted in CISOs having to educate themselves on new, innovative security architectures, frameworks and understanding compliance regulations to reduce their organization’s exposure to risk.
As the role of today’s CISO change, so have the skills required by this multi-dimensional position. Good CISOs are those with a strong technology background, good management skills and the ability to mentor and lead teams. However, with today’s ever changing technology and threat environment being a good CISO isn’t enough. Being a CISO in today’s threat landscape requires not only technology, leadership, and management skills; it requires new skills related to business. The role of the CISO today now requires new skills such as business acumen, risk management, innovation, creating human networks, and building cross-organizational relationships. The new CISO of today must be able to define their “Vision” of Cyber-Security to the organization, explain the business value of that “Vision” and secure leadership support to execute and engage the organization in implementing this “Vision”. To now be effective, CISOs require knowledge of multiple skill sets and must be a key member of their organization’s IT leadership team. I strongly advocate that today’s CISO is the one key member of the organization who understands the changing definition of Cyber and champions throughout the organization that cybersecurity is not just a technology issue but an enterprise risk management issue. Through proper engagement with organizational stakeholders including the IT & executive leadership team members as well as the strategic business partners, the CISO is the key member to reduce risk to their organization and ensure ‘Operational Resilience.’