The Momentum Behind the Role of the Chief Security Officer
It starts to make sense to evolve the role of the CISO and return it to its native technical content
In many large organizations, defining and structuring a Chief Security Officer role (CSO) is starting to make more and more sense.
The concept is not new and has generally been used to encompass all security aspects a firm may be faced with – physical and digital.
It is time to look at it under a broader angle in many large companies.
Broadly speaking, the role of the CISO (Chief Information Security Officer) has failed to drive change and build sufficient momentum around cybersecurity issues over the last two decades.
This is mostly driven by an excessive technological focus, that has imprisoned the CISOs in technical firefighting and prevented them from adequately reaching across the business and developing sufficient management and political acumen.
Today, as the penny is dropping across boardrooms, and the “when-not-if” paradigm dominates around cyber-attacks, they are trapped in an impossible role where it is expected of them to be audible and credible across the depth and breadth of the enterprise, from boards and regulators, to pen testers and developers.
No profile can reach effectively across a spectrum of skills that wide, and it starts to make sense to evolve the role by separating the components it has been accumulating over the years.
This is made all the more important by the increasing regulatory and reporting pressure, which has been mounting steadily for all businesses over the past decade across all industry sectors: It started around data privacy with the GDPR in Europe and many equivalent state regulations in the U.S. Reporting demands are now developing at federal level, and governance aspects are also coming under increased scrutiny.
This regulatory intervention is simply the result of devastating cyber-attacks, that have threatened or impacted key infrastructure components, and brought under broad daylight the extent of the disruption those types of events can cause.
As a result, senior executives have started to look beyond traditional business continuity approaches, to pay more and more attention to resilience concepts.
All those aspects (cybersecurity, regulatory compliance, resilience) have one major component in common: They are cross-functional and require a reach across corporate silos to be effective and efficient.
I would add that on those three fronts, the risk dimension is increasingly becoming obsolete in my opinion: This is no longer about events that may or may not happen, but simply a business reality that has to be factored in the way the firm operates.
Those are the factors combining to build momentum behind a redefined role for the CSO, encompassing oversight of physical and cybersecurity, but also data privacy, operational resilience and their associated compliance and regulatory reporting obligations.
A role of that magnitude in most firms can only make sense and function from the top of the firm, as part of the most senior business leadership team.
It has to be seen as a senior management role, focused on building the necessary cross-functional channels, ensuring they remain active, and bridging across business and political issues by bringing sufficient gravitas and credibility around the matters involved.
It is – of course – a role for a seasoned executive, motivated overall by the protection of the business from active threats, able to take an elevated long-term view where required, over and above the short-term fluctuations of any business.
We are miles away from the current role of most CISOs (our starting point), but it does not make their job any less relevant.
To the contrary, it offers an opportunity to refocus the role of the CISO on its native technical content and give it a renewed currency by stripping off the corporate layers added over the years, for which its holders – most of them technologists by trade or background – were poorly prepared.
A dual reporting line to both the CSO and the CIO would then make sense for the CISO and ensure a degree of independent oversight in industries where those aspects around separation of duties are scrutinised.
This type of model is essential in my view to drive large-scale programmes, where cybersecurity maturity is low and urgent transformation is required across the cybersecurity practices of an organisation.
The combination of the top-down and cross-functional influence of the CSO with the technical reach of the CISO should be key to create and maintain the momentum required to deliver change, and break business resistance where it happens.