The changing role of the CISO
Demand is high, supply is low and requirements are changing. Tony Morbin asks - so where are we now with the role of the CISO?
The SC Magazine article, "The changing role of the CISO," featured Russell Reynolds Associates research on CISOs called "Cyber Security: What level of Chief Information Security Officer do you need?" The piece also quoted Tim Cook about his insights on the topic. The article is excerpted below.
Not so long ago CISOs were like football managers – the fall guy for an organisation's cyber-security failures with a life expectancy in the role of about 18 months. We've had a breach, it's a tech issue - sack the CISO.
This game of shifting responsibility changed when the Target CEO got his marching orders following a breach. Information security became a board issue. CISOs are now expected to understand and articulate the business risk of cyber-threats to a non-tech audience, become educators for both the board and the workforce as a whole, liaise with and reassure compliance officers and be aware of legal and regulatory obligations.
However, for 28 percent of execs in a Russell Reynolds Associates survey, a decision by their CISO had hurt the business. And when it came to the skills gap within their security professionals, the weak spot was ability to understand business, cited by 72 percent of respondents, with 42 percent mentioning communication – but just as worrying for a profession that prides itself on technical ability, technical skills were also cited as a weakness by 46 percent of execs. And IT leaders themselves think that more than 29 percent of their teams need to be replaced to drive digital transformation and increase productivity according to research by IT resourcing specialist, Experis. Though 71 percent of IT teams responded that they feel that their skills and knowledge are not being fully utilised.
One company to look at the different types of CISO in more detail is Russell Reynolds whose global co-head, cyber-security practice, Tim Cook explained to SC Magazine UK his organisation's CISO model which ranks CISOs into four categories, dependent upon the risk profile of the company, from those with a low likelihood of attack and minor impact at level one; high likelihood and low impact at two; low likelihood and high impact at three, and high likelihood and severe impact from an attack at four, with seniority and responsibilities allocated to the role rising accordingly.
Looking at the model, Cook suggests most CISOs' capabilities are level one, where there are 60,000 to 70,000 people in large enterprises with a weak cyber-security function, many elevated from an IT function but with the same ability, and very few of whom can go on to level two or three. Controversially, Cook says there are only about 20 people world-wide that fall into level four, with the rest being two or three. While banking as a sector is better than most, here too Cook suggests most banks are a one or one and a half.
With professional cyber-security services companies growing by 25 to 40 percent per year, there is not enough talent in the market so companies are raiding each other and the CISO pool. It's not sustainable so the industry needs long term planning to bring new people in and look at new areas such as audit, plus encourage more at the graduate and apprentice level and consider training military veterans. Cook says he expects to see an emphasis on developing and retaining those on level two and three, with three to five year training programmes with commitment from both employer and employee to roles that stretch, train and develop the participant. Sutton suggests, “Maybe part of that can be formal education (MBAs etc), mentors, and making the most of the time they get with the board. You need not to be dismissed as just spreading FUD (Fear etc), so use it but not focus on it. What's already impacted competitors – focus on the real world – and what makes us different if that happened to us. And if you've just been lucky, say that, that it's a real threat – but here's the plan to mitigate that risk.”
Cook believes that who the CISO reports to is going to become a hot topic, suggesting it shouldn't be reporting to IT – noting that in the Middle East in banking it cannot be but should be someone handling governance. And CIOs should recognise the benefits of a strong CISO, not see them as a challenger. Though Sutton notes that, “Often the CISO is put in an organisation where there is a conflict of interest, eg they may report to a CIO or CTO who has very different incentives. They need to keep the system up and running, you need to stop and fix it, or audit the found vulnerabilities and delay a launch.” He suggests that, “For 10 different companies here will be 10 different answers – the role is starting to migrate to reporting to legal, the board or the CEO – it's company specific. We want the CISO to have an adequate voice. Often the Chief Legal officer won't have a conflict. Maybe it can be down a few levels but with regular boardroom level presenting so they can speak direct to the board and not through a proxy.”
Cook says that while the CISO may not always need to come from a technology background, they needed that capability within the role, who might be a strong number two, to evaluate the claims of the thousands of product and service offerings in the market. Cook, adds, “Not now, but in the future it may be that a Chief Technical Architect, or Chief Technical Officer would report to the CISO to cover those more technical aspects.”
To read the full article, click here.