When the title of Chief Information Security Officer (CISO) first came into existence more than a decade ago, the roles and responsibilities of the position barely resembled their current reality. The majority of CISOs reported to the Chief Information Officer (CIO), and were mostly focused on technology applications. They operated in silos and had a basic understanding of how to link security to the needs of the organization.
Since then, roles and responsibilities have evolved considerably. Instead of managing technology, today’s CISOs are responsible for a much broader and deeper set of interrelated tasks involving not only risk but governance. More often than not, they are reporting to the CFO or risk officer, rather than to the CIO. CISOs engage directly with the board of directors as well as, are public facing. They now have their own budgets and are charged not only with breach defense – but also the protection and enhancement of the value of the company and its brand.
With mounting threats, it is apparent that effective cyber-security demands a concentration on much more than technology. IT no longer can be expected to remediate cyber-threats. The demands of the CISO position requires in-depth knowledge of the company’s challenges and strong relationships with key stakeholders, as well as technical prowess.
The whole executive team, including the board of directors, must now assume a new management and governance role where technology, business and risk now meet – and they must be equipped to own such risks. The CISO must provide the support necessary to fulfill this new mandate, while bridging the gap between operations and IT to keep critical business systems, assets and other data secure and operational.
To be successful in this role, CISOs must have a deep knowledge not only of IT, but of the entire enterprise. Further, it is required that the CISO must Forge strong relationships with the company’s customers, top management and external suppliers. Also, they must be granted greater authority with direct reporting lines to the C-suite, as well as regular interaction with the board as it steps up its oversight and involvement in the defense of cyber-attacks.
Christopher Karr, CISSP is a Director of CyberSecurity at IGI