The CISO role appears to be going through a period of transition. The number of security breaches that have occurred over the last year and a half is unprecedented and has demonstrated a requirement for stronger security. The improvements needed to be made from within will stem from the CISO's desk. This represents a shift that will require enterprises to re-examine the role of the CISO.
In most companies, the security budget is a fraction of the total IT spend, and a CISO might find him or herself reporting to a range of departments including Legal, IT, Risk Management or Finance. A CISO's level of influence rarely extends past his or her given department.
In an article on CSO Online, authors Brian Engle and Renee Guttman point out that the CISO should have the ability to affect change on par with changes implemented by the CFO, CIO and other key executives. CISOs must have their own budgets and a line into the board of directors.
Major breaches are occurring at unprecedented rates because enterprises face a new cyber threat landscape where security challenges extend beyond the perimeter. Building better defense in depth with point solutions is no longer a sound strategy. A re-evaluation of security practices is required.
The adversary is evolving as well. Organized crime and nation state actors have entered the fray. These groups employ highly organized and technically advanced cyber attackers capable of carrying out successful attacks on pre-selected targets. The motives can be to monetize off stolen information or attack the organization itself for political reasons.
Adding to the complexity of the cyber threat, a black market underground thrives, and experts from around the globe can anonymously buy and sell tools, data and intelligence. This market has increased the value of information that can be used in future attacks--like login credentials or PII (personally identifiable information)--and has broadened the range of tenable targets.
The fact is that cyber crime isn't going to go away anytime soon, and security will be a problem for the foreseeable future. As the person charged with combating this ever-evolving cyber threat, the CISO all of the sudden plays a vital role in the success of any given organization. The following quote from a TechTarget article describes this perfectly:
"To be better prepared, our clients are elevating the CISO role to a true executive-level position, versus a director-level position reporting to a C-level executive, and increasing their budgets, anticipating increased headcounts and technology investments," said Cindy Miseli, senior recruiter with Alta Associates, a boutique recruitment firm in Flemington, N. J.
As the responsibilities of the CISO expand, the role needs to become a more strategic business function. CISOs need become dynamic leaders, capable of bridging gaps between technology and the boardroom. Successful CISOs will be capable of both building and training effective security teams and communicating security threats as a business risk with non-technical business leaders.
The first set of challenges every CISO must face are the shortcomings of dated security technologies that form the foundation of almost every security program. In the same TechTarget article, the authors point out that the CISO has to look at security as a holistic problem and can't focus on point solutions:
The chief information security officer can't focus in on point solutions when there is an entire architecture to secure across all different areas, [Bruce Brody, chief cybersecurity strategist at Cubic Corp] said. A point solution doesn't solve 1% of the problem, so you are always looking for enterprise-wide solutions that you can put in place to improve the risk profile.
The point solution strategy is too narrow in scope; CISOs don't have the luxury of focusing on a single area of risk at a time. They need to deploy holistic security strategies that address external threats targeting users, third-party partners, mobile applications, etc.
This includes building programs to address external threats that impact the brand. Cyber threats like phishing, website malware and rogue mobile apps are creating small data leaks that can create friction with users and lead to massive data breaches down the road.
The increase in attention given to information security is long overdue. With the limelight on the CISO more than ever before, individuals in this role have a unique opportunity to step up as leaders. The role is changing and, with that, demand for security technology that meets modern challenges will increase. The future of information security will be defined based on the response to evolving cyber threats and the ability of CISOs to step up as business leaders.