Who does the modern CISO need to be?
According to the 2021 Gartner, Inc. Market Guide for Managed Detection and Response Services, the role of the chief information security officer (CISO) has to change in 2022 to combat the ever-evolving modern threat landscape. Eighty-eight percent of company boards now consider cybersecurity as a business risk rather than solely a technical IT issue. Accountability for cyber risk has shifted away from IT and more onto the individuals within an organization – cybersecurity is everyone’s responsibility – plus an increasingly distributed ecosystem of hybrid working and cloud operations means a change to the direct decision-making control that was possible pre-pandemic.
The role of the CISO will change significantly over the next five years, and if the C-suite now sees the importance of a preventative cybersecurity posture it’s time to foster a leadership culture that will support continuous improvement and innovation. Organizational leadership roles need to change to support this new reality, cybersecurity roles doubly so. Gartner, Inc. analysts believe that, in the future, CISOs may have less direct control over a lot of the decisions that might fall under their remit today. How can the modern CISO evolve and keep abreast of the knowledge and data needed to effectively manage the challenges of the new normal?
Same skills and new skills
The modern CISO needs to be able to wear many hats while performing their role. The CISO of 2022 must be fluent in the language of risk analysis and able to apply it to business strategy, IT operations, and security risk management. It’s likely, however, they will be more responsible to the rest of the C-suite in the future. They will need to focus on creating a cost-effective and efficient information security program that strengthens customer trust, allows for frictionless but secure development of new services and products, and leverages data analytics to reduce operating costs and improve business results, while mitigating or eliminating cyber risks. They will also need to be able to communicate this at board level.
They will, very possibly, have less staff and less money to make this happen. The CISO is responsible for putting in place the necessary processes, people, and technology to protect a company’s data. They will need to manage human resources to maintain employees’ trust and productivity, as well as be open to new technologies and future risks. They will be responsible for helping their organization devise a strategy that safeguards digital assets from both internal and external threats; engaging with the C-suite to foster trust and communicate with other stakeholders, and defend against advanced threats through the design and development of security policies. Business leaders outside of IT are starting to rethink their approach to information security, hopefully developing a leadership culture that supports continuous cybersecurity improvement and innovation.
The CISO of the future will still manage the cybersecurity team’s activities, finances, and supplies. They will ensure that their team has sufficient and continuous access to training and education opportunities, as well as the latest in cutting-edge techniques. The role of this cybersecurity team leader will also be to foster a positive learning environment, where every member of the team feels empowered to learn new things and explore new ideas. The CISO must be able to lead their team with conviction while inspiring others, across the organization, by creating and maintaining a sustainable (and company-wide) security culture. Any cyber-responsible organization must create a habit-driven working environment where security is by default, and this will fall under the remit of the CISO.
In the next couple of years, and budget permitting, cybersecurity will be an increasing focus for many organizations. Gartner, Inc. predicts that more than 50% of C-level executives will have performance indicators related to cybersecurity risk (at a departmental level, at minimum) as a part of their employment contracts before 2026. A CISO’s role is to provide guidance and build the culture of the next generation of cybersecurity professionals. The ideal candidate should possess a strong background in leadership, C-suite management, information security, technology, and analytics, with a focus on compliance (such as GDPR or other standards) which is required by law to protect their customers’ data.
The CISO’s role of providing information and support on current, evolving, and emerging cybersecurity threats to the business is becoming increasingly complex. It’s now essential to be able to navigate in a diverse array of possible breach points – application, data, internal, cloud, hybrid, etc. The world is changing, the number of vulnerabilities is growing, and the cybersecurity market is shifting towards cloud computing and artificial intelligence. Our CISOs must have a solid grasp on these trends to ensure their company has the best strategy for staying ahead of new threats and attacks. The CISO needs to be something of a visionary, who understands how to use his or her technical knowledge for business goals. The leader must be able to identify areas where the organization is vulnerable and implement actions to reduce risk. One of their key challenges in the months to come will be finding skilled workers with specialized training, and retaining those team members essential to best security practices.
It’s not just boardroom and inter-departmental communications that will fall under the CISOs remit. They will also need to foster their thought leadership portfolio, as cybersecurity thought leadership becomes a much sought-after PR commodity. Organizations want their prospects and customers to know that they have the reassurance of expert protection if they bank, shop, trade, or share data with the organization. A CISO must have expertise to contribute to industry blogs, join panel talks, be a part of business webinars, and discuss modern protection methods and company standards at length.
The modern CISO will be required to provide an organizational framework to ensure that the various security functions of the organization work together efficiently and effectively. Embracing the right cybersecurity tools will be needed to match ever-increasing threats in the online environment – using them to streamline security operations, including reporting, to alleviate alert fatigue, to provide actionable and understandable results, and to plug the current cybersecurity skills gap and staffing conundrum.
Getting to grips with the technology
In the modern cybersecurity team time, resources, speed of response, and money are precious commodities, and will become even more so in the future. Having the right tools in place will be important to free up our CISOs and their teams to take part in additional and priority activities, as this is already the norm for SMEs and larger organizations. Value for money will be essential, but easing the pressure with automation is a great way to solve a lot of capacity, accuracy, and team experience, and can – if the insights it provides are clear and actionable – produce positive results immediately. Cybersecurity automation improves security response and promotes greater departmental efficiency. Filtering out false positives and cutting down on alert fatigue through the use of the right cybersecurity automation tools can make your team more effective, plus improve the regulatory compliance efficiency required to achieve data privacy.
When departments work independently it can cause a lack of integration and fail to identify potential security issues in the different stages of development. Dedicating time and resources to another department’s production schedule isn’t always possible, but this can be easily smoothed with the application of the relevant technology. Application development teams, for example, may leave the nuances of cybersecurity until late in the development cycle or be unable to address them before beta testing. A left-shift/agile mindset and Scrum best practices can include cybersecurity iteratively and incrementally, but is not always possible. Technologies such as runtime protection (RASP) can be of great help and value. RASP is designed to provide individual application protection, and enables identification and mitigation of threats at runtime – which could have been overlooked by different cybersecurity solutions.
The technology we use, and how we use it, will be instrumental in addressing the cybersecurity skills shortage and enabling our CISOs to concentrate in other areas.
Future readiness
The CISOs job is changing, but the usual requirements are still there and our CISOs will still need to lead the company strategy to maintain cyber safety. A full-time CISO, in any organization, must offer influence, direction, consistency, and enhanced public perception. The role will always be a critical layer in the protection against bad actors, but the new CISO must expect other C-suite members and departments to take an active interest in what they are doing and the overall organizational cybersecurity strategy in the years to come.
Regional standards and compliance, like GDPR, CCPA, LGPD, or POPI, will likely grow and change. The modern CISO must keep abreast of evolving privacy and human rights law. They must expect to have less staff and time and to be more reliant on automation to plug the skills and knowledge gap and to free up team time for cross-departmental activities (such as training and cybersecurity awareness). Cybersecurity may become a part of PR activity, with businesses wearing their security credentials and standards on their sleeves.
Whatever else changes for our CISOs, whether it’s new processes, restructuring, automation, more active C-suite involvement, or new responsibilities, organizations need a cybersecurity leader more than ever before. Every job evolves, and the modern CISO is going to need to embrace everything available to them and become cross-departmental communicators to take their organization forward, safely into the future.
Try Imperva for Free
Protect your business for 30 days on Imperva.