The role of the Chief Information Security Officer (CISO) has expanded over the past decade thanks to rapid digital transformation. CISOs now must be much more business-oriented, wear many more hats, and communicate effectively with board members, employees, and customers, or risk serious security failures.
In a wide-ranging press Q&A at CPX 2024 in Las Vegas, a panel of CISOs and vice presidents (VPs) from international organizations talked about how digital transformation, bottom-line pressures and a lack of security have forced a change in the nature of their positions, in general, from technical to entrepreneurial and highly social ones.
Today, they suggested, the difference between an effective CISO – and, by extension, an effective security culture in an organization – lies as much in softer communications skills as it does in vulnerability mitigation and policy making. In fact, security leaders who thrive on the latter but lack the former end up exposing their organizations to serious breaches.
“Did you ask about consequences?” Dan Creed, CISO at Allegiant Travel Company, asked rhetorically in response to a question from Dark Reading. “Ask SolarWinds what the consequences are. They had a password policy, an intern didn’t follow it, look at the consequences.”
How digital transformation has transformed the CISO
“The role of the CISO has changed over the last 10 years, and we’ve never stopped noticing it,” said Frank Dickson, program vice president for cybersecurity products at IDC, at a separate CPX press conference on March 6.
Years ago, the position was created with the relatively narrow focus on cyber risk that it is still associated with today. But it has expanded, thanks primarily to the expansion of the company’s attack surface. Typical breaches required vulnerabilities in company assets: think Target, Ashley Madison, and the like. Nowadays, especially post-COVID, it is employee emails, phones and other devices which instead represent the greatest risk for organizations. As the responsibility for information security has become collective, CISOs have been forced out of their silos.
Frank Dickson briefs the press on new IDC report; Source: CPX
Digital transformation has also moved IT from its isolated corner, directly into the business sector. As Dickson pointed out, “About 40% of all revenue in the [Global] The coming year 2000 will be driven by digital products and services. This, then, is to change the nature of IT from a cost-driver to something that is on the path to revenue generation. And if you think about what that entails, it fundamentally changes the role of the CISO.” The more companies today conceive of IT as a business driver, the more CISOs must be integrated not only in the prevention and mitigation of cyber risks , but also advise the board on business decisions and meet with developers, vendors and customers.
The CISO’s growing business-facing responsibilities are reflected in an IDC survey presented at CPX. Of the 847 cybersecurity leaders surveyed, 10% believe the most important job of a CISO is leadership and team building skills, while 8% believe it is business management skills. Effective cybersecurity awareness and understanding, as well as IT architecture and engineering skills, received slightly more votes, with 12% each.
How CISOs can do better for employees
It’s not just CISOs Should double as businessmen: they need it. “The consequence of not establishing those relationships [is] in company you acquire the culture of “Well, it’s not my responsibility”. Like SolarWinds and MGM. They reset their MFA simply by calling the Help Desk, even if they don’t understand or realize the consequences of not being security aware,” Creed explained.
The subtlety of Creed’s argument – echoed by others at the roundtable – is important. Preventing safety mistakes by employees isn’t simply a matter of raising awareness, they point out, because even the most knowledgeable employees ignore safety when their relationship with the safety team isn’t healthy or when hygiene is simply too challenging.
“[They say] security should be hidden. I take it a step further: Security should lubricate the business and make it faster,” said Pete Nicoletti, Field CISO at Check Point, echoing the evolved philosophy of the modern CISO. He offers VPNs as an example of where limited and old CISOs style have traditionally slowed down business. “How long does it hold my email: two seconds or 10 seconds? How long does it take to sign up for the VPN? I am [employees] will it work because it takes 22 seconds and authentication? [It’s about] trying to make them as transparent and easy to use as possible. Start choosing tools that actually speed up the process, to the point where you now have a competitive advantage.”
“Some of the first initiatives I’m leading are exactly that,” Creed said. “Let’s move away from the VPN and into an always-on mode where, with your laptop, you turn it on, you’re on, and you’re connected to our network, going through our security stack. The next goal is now we’re laying the groundwork to move to system without password.”
If talking to employees and simplifying their security isn’t enough, CISOs can also experiment with alternative incentives. “We actually have KPI metrics around safety culture. And we’re getting ready for the point where we start to actually impact bonus pools, to the point where if your department does better, it will increase your bonus pool above the norm [. . .] and if you don’t, then your bonus is reached,” Creed explained.
How CISOs can collaborate better with their executive colleagues
Then there’s the scoreboard.
In its survey, IDC asked CISOs and their CIO colleagues what CISOs actually do (for example, whether they focus on strategic architecture or whether the work is tactical by nature) and found non-trivial discrepancies in the responses, indicating that even the CISOs closest C-level partners are not totally on the same page.
Creed recalled one such instance recently, where “We ordered some new 737s. And these are our first e-connected airplanes. [The board] didn’t include me in previous conversations, and then it became a fire drill that all new e-connected aircraft have cybersecurity requirements – which, in fact, if you don’t have an approved and accepted network security plan FAA on file, you lose the airworthiness certification for that aircraft. Do you think the board, when they started talking about going down this path of ‘we’re going to expand the fleet’, considered that there might be safety implications?”
“So you have to educate them and explain to them: this is why we need a seat at the table. In every strategic decision made for the company, there is a risk involved. [. . .] More you include us sitting at that tablethe better we can protect the business and assess when the risk first occurs rather than when it becomes a wildfire,” he said.
To that end, in an interview with Dark Reading, Russ Trainor, senior vice president of information technology for the Denver Broncos, offered a simple tip:
“Sometimes I will forward the news of breaches to my CFO: here’s how much data was exfiltrated, here’s how much we think it cost,” he says. “Those things tend to hit home.”