Meet the new boss. Same as the old boss. But the role and responsibilities have completely changed. The Department of No has become the Department of Know. Rather than defending the enterprise at the expense of visible productivity- which forces workarounds that actually expand the threat matrix- the CISO's new raison d'etre is to enable business (in any language). So went our recent post on LinkedIn.
New Talent, New Mindset
Current Horizon Power CISO and former CSHub APAC speaker Jeff Campbell notes the sea change in inbound talent, “CISOs used to come from the computer science background. And the traditional feeds into the cyber security field still apply. “We continue to see “CISOs come from counter terrorism backgrounds and risk backgrounds.”
But that's radically changing. “We're starting to see CISOs come from Change backgrounds because of the rapid change in the security landscape. Being a generalist can sometimes benefit the enterprise by looking at new approaches.”
Not Just New: Well-Rounded
New talent with new mindsets are bringing new value to the cyber security team. But that new value must be balanced with traditional cyber security value says CSHub Executive Board Member Kayne McGladrey. “If you go too far with somebody who's got no prior with cyber security background, you run the risk of ending up with strange alignments.” The decision to task executives, who don’t understand the technology with the ultimate decision-making on that technology, is fraught with danger. “It's very possible for a cyber security vendor to befriend them and tell them that their solution is the best solution and that they ‘only need to buy the single pane of glass.’” It might be true, it might not be true- but the decision-maker needs to be the person who can truly evaluate that question.
Top-Level Buy-In
Top-level Financial Services Regional CISO and upcoming CSHub Financial Services speaker Tom Kartanowicz notes that even with proper controls, new talent with new mindsets will only get you so far. “If you don't have buy-in and accountability from your senior people, you're not going to get resources, money, et cetera.”
Enabling Business
In Doctrine in Depth, Florida Crystals CISO Christine Vanderpool noted that she is focusing on enabling business. In essence, she concerns herself with things “that elevate and help the business rather than just saying no.”
When asked if she’s a BISO- a Business Information Security Officer with a CISO title, she responds, “I wouldn't have a job if, if we weren't doing what it is that we do as a company. I work for a consumer packaged goods organization. So I need to always remember that that is the purpose of why we are here. We are not here because of security. We are here because we make a product that is sold to consumers. And that should be the focus.”
We are not here because of security, but cyber security is what keeps us here. And being a business executive who can cogently explain the benefits of technology to the enterprise is the key for a CISO moving forward. McGladrey expands, “the initial focus of CSOs was very technology-oriented and early CSOs could identify solutions but they couldn't necessarily sell those solutions internally for budgetary allocation.” It was a new and complex role without a lot of focus from top-level management.
Business + Technology
“It remains a very complicated role because you have to ultimately be able to speak, to three separate audiences: the business folks- who are interested in cost controls and also cost savings and cost improvements, and material effect of the business. The technology folks: who want to know that you're doing the cyber right. And legal folks: who want to know that they're adequately shielding the business from legal and regulatory risk.”
The CISO job function was always difficult. And the arduous nature of what needs to be done is only being dialed-up. Kartenowicz offers a thought, “You really need to be a more business-aligned CISO. Keep one foot in IT of course, but keep that other foot now in risk communication, compliance, business processes, et cetera. You don't have to know it all. There's only so much time in the day. But you surround yourself as the people who do know those things.”
Campbell agrees, “We're going to see more individuals that are rounded, from a business perspective, step into these roles. But don't get me wrong- you still need to have the technical depth- and whether that's you're surrounding yourself with people that can filter that through to you, or having that yourself- you still need to understand some of those technical concepts to actually know what security approach is best.”
Meet the new boss, same as the old boss. But the role and responsibilities have completely changed. Not just any change agent will do in the CISO role. The CSHub community insists that new talent with a new mindset isn’t all that’s needed. Because even if that executive is fantastic at making the business case for cyber security technology, that technology still has to work correctly for your specific enterprise. The only way to be certain that will be the case is to have a solid background working with cyber security technology.
The new CISO journey might be different with new starting points and new stops along the way. But without technical and technological know-how that journey can end in disaster. The new CISO journey must still include the paramount step of understanding the tech.