The last SASIG meeting in London on 8th May 2018 examined the role and career of the CISO. It is hard to walk out of an event like this one not feeling that a number of things are seriously going round in circles in the security industry.
The reporting line of the CISO is one of those topics which have been discussed constantly amongst security professionals for the best part of the last 15 years, but more generally, it felt like the role of the CISO was taken for granted as an established corporate concept.
That is far from being the case in my opinion, and as a matter of fact, the role does encompass very different responsibilities from one organization to another and is rarely a true C-level function. Far from being reinforced by the constant avalanche of cyberattacks and data breaches of the past few years, it is being marginalized by three long-term trends:
1- The Cloud, Digital Transformation and the changing role of the CIO
Information assets are changing; they are being used in new ways across new media and across an increasingly complex dematerialized supply chain; the CIO has to share powers with CDOs and must deal with an increasing number of powerful service providers, and increased pressure from business units looking to gain a digital competitive advantage. Over time, the historical role of the CISO runs the risk of becoming the guardian of an increasingly empty shell surrounded by an increasingly complex web of supplier relationships, and little actual control over the real level of protection applied to sensitive information assets.
2- Resilience, privacy and the consolidation of broader corporate concepts
Large scale cyber attacks over the past few years have put cyber risk on the board’s agenda, but 'information security' – the traditional perimeter of the CISO – is often seen as only one aspect of a much bigger problem: the board wants to see a full picture, encompassing the whole capability of the enterprise to sustain a cyber attack and recover from it. In larger firms, this 'resilience' concept tends to lead to the emergence of broader enterprise security functions which push down the historical role of the CISO, as McKinsey & Co are rightly pointing out here.
One point McKinsey are missing – surprisingly – in this article is the importance privacy regulations are also playing – at least in Europe – in shaping up the board agenda around security. GDPR has been a big topic in many firms across the past 12 months. Tens of millions have been spent towards 'compliance' in larger firms, and a good proportion of that went towards security-related measures, but many CISOs have failed to capitalize politically on the topic which has broadly been seen as a legal issue. The DPO roles and other 'Chief Privacy Officer' functions which will emerge over the years to come from the implementation of the GDPR, are likely to create an additional corporate layer 'breathing down the neck' of many CISOs and altering their historical ways of working.
3- Failure and the price to pay for the cyber security 'lost decade'
For many senior executives, the actual role of the CISO – in its historical sense – is still a mystery. It is seen as complex and technical and it lacks a natural edge they could relate to. It feels like a 'black art' always requiring more investments. At the same time, cyberattacks keep happening and often seem to point out to the absence of basic protective measures which could have been implemented years ago.
This 'lost decade' of cyber security investments has damaged the profile of the CISO position in the eyes of many business leaders. And indeed many CISOs end up hopping from one job to another because they feel they can no longer achieve what they would like or are not being listened to.
So the role of the CISO in its historical technology-driven perception is not outdated yet, but it is under threat and losing ground.
The firms looking to reverse this trend need to act at three levels:
- Elevate the personal profile of the CISO role by injecting real-life experience, managerial talent, personal gravitas and political acumen.
- Decouple the role from its historical technical profile and stop following blindly the misleading agenda of the technology industry; those historical aspects of the role can be separated into an 'IT Security' function within the portfolio of the CIO or the CTO
- Instead, turn the CISO function towards the new players in the field (CDO and DPO) and towards assisting the business units in all aspects of their digital transformation, dealing with third-parties and the associated evolution of the threat landscape.