There’s a lot of debate right now about the role of the CISO in 2022.
Over the years the CISO role has evolved from having primarily technical skill sets to modern CISO needs to know the technology but more importantly making business cases to support cyber security initiatives. This is where risk management skills and being attuned to an organisation’s business risk profile, become key.
At Gartner’s Security and Risk Management Summit in Sydney on June 21, Arthur Sivanathan, director advisory at Gartner discussed a new study analysing the performance metrics, mindsets, behaviours and structural features of the role of more than 100 CISOs.
The effectiveness of a CISO
In summary, effective CISOs consistently engage with leaders outside the IT department, however, CISOs are spending more time with IT leaders than they should be. According to Sivanathan, “this has no correlation with CISO effectiveness, zero in fact.“ Instead, meetings with non-technical stakeholders, whether that be the CFO, the CEO, the board, marketing or people and culture teams, have a positive correlation with CISO effectiveness.
As we all become more hyper-aware of security threats and we continue to redefine what it means to be a CISO, it makes sense to see the role take a more strategic and company-wide focus. However, it’s easier said than done, as it can be hard for a CISO to get out of the weeds. The Gartner study found CISOs are over-investing hours of their time spent on security operations, staff management, policy and standard settings, project risk assessment and oversight, and vendor management whilst underinvesting in stakeholder relationships building and strategic planning.
The role of a CISO
Phil Venables, CISO of Google Cloud, has written a lot about the contentious role. In a recent blog post, he said: “The reality is, like every important concern, security has to be a shared goal – one role can’t carry this alone no matter where it reports.”
Venables sees the role split into two – with one part focused on “embedding security into all products”, which has an engineering-centric role in most organisations. Then there is the part of the role that “enforces independent risk oversight of the correct security posture”, which requires close collaboration with the board and executive team.
Now, most organisations are acknowledging they need both roles in some form.
At Sekuro, we see first-hand how information security is managed throughout some of the world’s largest organisations. What is clear, is that security doesn’t just keep the CISO up at night. A breach has far-reaching implications across an entire organisation – especially for CEOs and boards. It now takes a company-wide culture of security to make any strategy effective. As the age-old adage goes: “you’re only as strong as your weakest link” (or employee in most cases).
Successful CISOs today wear many hats. Having a deep knowledge of the technology is only going to get you so far. CISOs need to have a strategic mind and strong communication skills if they are going to ensure security is truly taken seriously amongst all stakeholders.
The co-founder and the Chief Information Security Officer (CISO) at Sekuro, a global cyber security and digital transformation company headquartered in Sydney, providing end-to-end cybersecurity and digital resiliency services and solutions. Prashant leads the business resilience function globally with extensive experience establishing and maintaining cyber security visions, strategies and information asset protection frameworks for enterprises.