InfoSec Insider

The Evolving Role of the CISO

Curtis Simpson, CISO at Armis, discusses the top qualities that all CISOs need to possess to excel.

Digital technologies have infused every aspect of a business, especially with the shutdown of the physical workplace. The increased interdependence between the physical, digital and cybersecurity worlds demand a leadership position that combines both the technical know-how and the ability to recognize security priorities from a business perspective. Paired with the slew of new threats impacting businesses amid a global pandemic, and the increased scope of what needs to be secured, the past year has propelled the evolution of the CISO.

Specifically: While CISOs were once known solely as the security risk managers, CISOs are now expected to be business enablers of an organization.

Top Qualities of a CISO

Cybersecurity is a highly dynamic field. The need for rapid, experiential decision making, organized thinking and the ability to strategically communicate to a non-security audience are almost second nature to many CISOs.

In order to truly succeed as a CISO in today’s digital world, here are some top qualities that all CISOs need to possess to excel:

Matchmakers: It’s integral for CISOs to understand the big-picture mission and to make strategic decisions that align security goals with overall business goals. Executives expect that CISOs are not securing the organization at the detriment of the business but rather to its benefit. With that, it’s important to remember that the power of the consolidated set of technologies and services in our security stack can deliver many benefits to our stakeholders beyond the traditional. The ability to connect our efforts to both tactical and strategic benefits to business operations or even the bottom line that go above and beyond traditional risk reduction is critical to the success of the role, the team and the program overall.

Relationship Builders: The CISO’s job may seem hyper-focused on security, but success is truly determined by relationships. This may come as somewhat of a surprise, being that security professionals are commonly associated with their technical skills vs. their social skills. Resonating, communicating and understanding the needs and concerns of business units and their stakeholders within an organization is the most crucial aspect of the CISO role. The true power lies in the combined understanding of the needs and challenges faced by stakeholders, security and compliance risks that we need their help with addressing, and the breadth of technical and operational capabilities at our disposal. Stakeholders that we can help today will help our cause tomorrow, particularly those that are commonly allies of security (legal, enterprise resource management, internal audit). True change for the sake of business risk reduction typically comes through the voices of a network of change agents, not only the lone voice of a CISO “punching up.”

Servant Leadership: Set the strategy, manage priorities at the “epic level” (side note: if you’re not practicing agile, consider doing so), clear a path for your team and guide as required. Don’t manage the details, lead on the outcomes and let the team figure out how they get there. As the team bubbles up risks and challenges, take advantage of your relationships to knock them down, enabling the team to make iterative progress towards the top risks and objectives. As noted above, CISOs no longer have the time to manage every facet of the program but rather, must enable the team to push strategic efforts forward.

Advocates: At the end of the day, CISOs need to advocate for proper cybersecurity infrastructures that will actually protect their organizations. This is no easy feat, as business leaders are often skeptical when it comes to investing funds in cybersecurity when they can’t physically see the threats in motion. CISOs must communicate the importance of quality cybersecurity and advocate for tools that will, as a result, save businesses money in the long run. CISOs must serve as the lobbyists for the security organization, fighting for what’s needed to stay protected under any circumstance.

Future Forecast: Where is the CISO Role Headed?

Traditionally, CISOs focused on security strategy. They worked with stakeholders and direct reports to understand and stack rank risks and related threats, and established and grew programs and capabilities to stop them. Whenever a breach or significant security exposure was identified, their job was to lead the charge in fixing the problem. Now, CISOs need to proactively think about not just security strategy, but long-term business strategy.

In the era of the digital workplace, CISOs must not only focus on preventing threats, but create systems that work for the business and still keep everyone protected. Constant innovation, creation and implementation of unique strategies are already part of the CISOs job description. It is about thinking not just about the threats in front of you, but the threats to come, and how to stay ahead of them while keeping the goals of the business at the forefront. Decision-making that ties business strategy and security processes into a firm knot is the only way to stand straight amidst the faced-paced, ever-changing storm of digital services.

The role of the CISO is evolving faster than ever, and becoming the jack of all security and business trades. On Monday, they’re the superheroes keeping the cybercriminals out. On Tuesday, they’re improving the organization’s security posture. By the end of the week they’re C-suite ambassadors and innovating the concept of security, all while delivering positive business value.

As the role continues to evolve and the CISO’s depth and breadth of knowledge regarding the business, its underlying technology and its core risks, the role will continue to elevate outside of IT and be seen as a peer of the CIO. As enterprises continue to evolve, a growing number of effective CISOs will be asked to inherit enterprise risk-management or infrastructure responsibilities. The future remains bright for the CISO role, as long as we remain focused on truly aligning with the business and managing risk around what truly matters most.

Curtis Simpson is CISO at Armis.

Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting our microsite.

Suggested articles