Now that cyber incidents and data theft are becoming ever greater business risks, the importance of having a CISO in the organisation is increasing. At the same time, there are also more question marks about his role and above all his place in the organisational structure. Should the CISO still report to the CIO or does he deserve a more prominent position? And what exactly should his role involve? These are the three main changes that CISOs can expect in the coming years in terms of their role and their place in the organisational structure:
1. The CISO will overtake the CIO in the organisational structure
The role of the CIO originated 10 to 15 years ago. At that time, the availability of computers and networks was becoming increasingly crucial to companies. It was only when security threats emerged some years later that companies felt the need for a 'CISO'. In those days they were often called security managers and they worked within the CIO team. Typically they were IT experts whose job was to make sure information was processed, stored and secured in a safe and confidential manner. Availability was always the highest priority for the organisation. Everything had to work properly. Later, risks were viewed more through a company-wide lens, including the role of security. As a result, besides availability, the confidentiality and integrity of data were also considered and the CISO role was created. Because the official CISO position only came into being later, it was often automatically placed under the CIO in the organisational structure.
However, today this place in the organisational structure often causes the CISO and the CIO to be at odds with one another. The CIO is responsible for the availability of the network, while the CISO has to manage security risks in terms of confidentiality, integrity and availability. As such, in the CISO’s new role, the CIO is now actually part of the CISO's areas of focus. So when the CISO reports to the CIO, they have conflicting interests – for example, when patching systems. Not patching too often is in the interest of the CIO because it keeps the availability of the network high, but it is not in the interest of the CISO, who sees his security risks increase if patches are delayed.
In the future, these interests will clash even more frequently. As the attack surface increases and hackers look for critical data not only via systems, but also via people and processes, company-wide security is becoming ever more important. This also increases the importance of the CISO as a strategist and independent consultant within the organisation. The CISO’s position in the organisational structure therefore has to change. It needs to become a business role for which understanding technology is a requirement.
The CISO will increasingly have to stand alongside or even above the CIO in the organisational structure, in an independent role. His role will be to understand business opportunities discussed in the boardroom, create the company-wide cybersecurity plan and drive its implementation and report on it to the board.
The implementation of that strategic cybersecurity plan will fall to the CIO in terms of availability and to the privacy officer or person with legal responsibility in terms of confidentiality and integrity. As a result, there will be fewer conflicting interests and cybersecurity will receive the attention it deserves in the organisation.
2. From technical expertise to knowledge of trends and developments
But more needs to change than just the CISO’s place in the organisational structure. As long the role of CISO still largely consists of operational tasks, a CISO primarily needs technical knowledge to perform his tasks and guarantee that the data in the organisation is properly secured. In his new strategic role, the CISO must be able to speak the language of both technology and business. A CISO who has been a top security engineer for 15 years but who does not have or does not want to develop any business knowledge is by definition not a good CISO. Better to remain a top engineer. This is incidentally one of the more important roles within a company.
Today's CISO needs less technical expertise but does need to have a better understanding of the technical impact of current security threats. He must be able to provide more context in the boardroom about the security threats at play and their impact on business operations. The requirement for detailed technical expertise can be left to the privacy officer and the CIO.
More business knowledge
The CISO will need to focus more on business knowledge in the future. It is important that the CISO knows the business strategy, has the CEO’s ear and understands how the organisation works financially. He needs to know how to build good business cases and which metrics to show in order for the board to make the right decisions. He needs to understand that, in order to make the right decisions, the board really only wants to hear what the business opportunity is, what the associated business risk is, what the costs are to minimise the risk and what the costs are if a breach nevertheless occurs.
3. From an operational to an independent executive role
The role of the CISO is still often far too operational. In the future, the CISO must be given a more strategic, executive [MA1] role. The CISO needs to move towards a role in which he acts as an independent adviser to the CEO. And that has to come from the board. In this new executive role, the CISO should always ask the CEO two questions:
- What is the impact of this decision on the company's sales and profits?
- What is the risk surface of this decision and how can that risk be avoided?
An example to illustrate the importance of these questions: suppose a company has a plan that yields revenue growth of 10 million euros. With a security risk of 10% that is acceptable, but with a security risk of 90% it is no longer acceptable. In such a case, the CISO must ask the above questions and then examine, together with the board, whether the security risks can be balanced against the opportunities for the company.
If the CISO succeeds in taking on this more executive advisory role, his focus will increasingly lie on high-quality security advice and setting up and implementing company-wide strategic security plans, and less on operational tasks.
It is therefore possible that in the future, the post of CISO will no longer be a full-time role. This is because it will be an advisory role to the board. The CISO will make the cybersecurity plan and leave the execution to others, for example the CIO and the privacy officer. This will create space for a VCISO, a virtual CISO. Someone who contributes remotely to thinking at strategic level for two or three days a week about the risks and security challenges facing the company. But many companies have not reached that point yet.
The CISO as an enabler for the company’s success
If the CISO manages to adjust his level of knowledge and effectively claim his new place in the organisational structure, he is guaranteed to make an important contribution to the company's success. An organisation with a CISO in the right strategic, executive role makes any business qualitatively much stronger. Security risks are successfully balanced against opportunities and, because prevention and detection are already in order, the company is in a position to act more quickly and display greater agility than the competition. This inspires much more confidence in customers. A good CISO makes sure that every security measure contributes to employee satisfaction and the company’s competitive position. In this way, the CISO can make a real strategic contribution to business growth.