Very often, business executives and boards struggle to understand the role of the chief information security officer. For some the term CISO is used to designate the person responsible for IT security within the organisation. For others it is the person responsible for IT security policies and frameworks without operational accountability. This article aims to bring some clarity to the subject and to put into perspective the value-added of the CISO role within the context of the 4th industrial revolution.
Businesses are moving faster than ever, and the threats organizations face are far more damaging than ever before as a result of an increasingly digital and interconnected world, mobile, cloud, IoT and OT connect to IT infrastructure. The evolution of security requires a substantial re-definition of the CISO role as traditionally many security practitioners have come from technical backgrounds and up until recently have not been required to work as closely with the business or to communicate security issues in a language that business audiences clearly understand. As a result, CISOs struggle for the budget and authority they need. Many CISOs are suffering from lack of authority at a time when cybersecurity has never been more critical.
The perceived gap
CISOs are accountable for cyber risk but lack authority to set-up budgets to mitigate technology risk. The implications of this reality are significant as existing technology defenses might be adequate to reduce cyber risk according to the risk appetite of the organization. Senior business leaders could end up making sub-optimal decisions without having sufficient clarity about cyber threats, cyber risks and investments required to mitigate these threats.
A cultural change
A risk-based approach to effectively address cyber risk requires a cultural shift that recognizes there is no such thing as perfect protection. Risk management is an explicit recognition that there is no such thing as complete cyber protection. Organizations must make conscious decisions regarding what they will do, and more importantly, what they will not do to protect themselves. The decision must be considered with the risk stakeholders in the non-IT parts of the business, and residual risk must be understood in a business context and accepted. Risk stakeholders have choices. They can choose to take more risk at lower cost, or lower risk at higher price. It is a legitimate business decision to accept any level of risk you understand.
The CISO role in the 4th industrial revolution
CISOs must evolve and leave behind traditional perimeter thinking to become influential business leaders and trusted risk assessors who can architect comprehensive security roadmaps and explain it clearly to boards and non-IT audiences.
A well-seasoned CISO professional can bring to the table more than just a specialty in technology but an acute awareness of the possibility of attacks and knowledge of the threat landscape. It’s about having a broad and deep perspective on risk and how to enable the business while minimizing that risk.
Security and trust are essential to building an ecosystem and attracting stakeholders who are set to interact with each other on a common platform. The value-added of the CISO role is the ability to offer a broad and deep perspective on cyber risk, and how to enable the business while minimizing risk in a world were resilience is overtaking recovery as the most important task on any business.