The role of CISOs at global organisations has appreciated greatly in the recent past, so much so that they are now playing a principal role in 90 percent of significant business decisions unlike in the past when information security departments were unanimously perceived as the department of "no".
This was found in a study commissioned by Capgemini and IDC which also observed that just 15 percent of business executives at organisations across the globe now consider their respective CISOs as blockers of innovation, signifying that executives may no longer have to bypass information security departments to implement new strategies or to launch new products and services.
This change of attitude is quite significant considering that not too long ago, a majority of businesses either did not have dedicated CISOs or did not deem it necessary to consult their CISOs when taking significant business decisions or formulating new strategies.
According to the IDC study, the modern CISO not only has a seat at the high table but is also playing a principal role in 90 percent of significant business decisions. More than 68 percent of business executives now believe that the importance of CISOs in their organisations has improved in the past thee years, compared to just three percent who believe the importance of CISOs has diminished.
The study also shows that less than 15 percent of executives now consider their information security departments as blockers of innovation, just nine percent treat them as compliance hurdles, and only 10 percent think that information security departments are a necessary cost.
However, a majority of executives are not convinced that their CISOs are drivers of competitive advantage or enablers of business efficiency. Fewer than 25 percent of them think their their CISOs are proactively enabling digital transformation, which indicates that CISOs need to become business enablers, need to adopt business mindsets and push digital transformation forward to stay relevant in their organisations.
Such reservations apart, business executives also have high hopes of CISOs in their organisations. While 31 percent think their information security departments ensure the protection of customers' interests and 46 percent think such departments are vital to the competitiveness of products/services offered by their organisations, even though just 13 percent believe their CISOs ensure corporate efficiency.
Because of such expectations, CISOs are being asked for their opinion about significant business decisions in 90 percent of organisations and over 60 percent of organisations are inviting their CISOs to key board and executive management meetings.
To their credit, CISOs have also put in a lot of effort in the past few years to attain greater credibility in their organisations. In its study, IDC observed that CISOs have been focussing on making security operations more effective and efficient, engaged with the rest of the business, responded to business requests, enabled change and are being seen as key subject matter experts by the board.
Commenting on the increasing roles of CISOs as observed by IDC, Jonathan Deveaux, head of Enterprise Data Protection at comforte AG, told SC Magazine UK that the role of the CISO has evolved from primarily managing information security to keep the business secure. There has been a shift from a defensive position, such as minimising threats, to an offensive position, where the CISO provides key input or plays a larger role in providing the business with options to make money at acceptable levels of risk.
"For example: Suggestions from a CISO to anonymise sensitive data, enables an organisation to comply with industry regulations such as GDPR, PCI DSS, HIPAA, and others. Once the data has been ‘de-identified’ a CISO may suggest to move the data to a Big Data Analytics platform or share the data with a third party to gain business intelligence. A CISO would have a clear understanding of the risks associated with moving and sharing de-identified data, and would be in a great position to talk about these risks to board members. This gain in business intelligence may result in a competitive advantage, or could be a way to gain monetary value," he added.
"To ensure that they become leaders and not followers, CISOs should establish close links with the business strategy groups as well as the CTO team. In this way, they can predict technology change and ensure that security is built in from the start rather than as an afterthought," says Richard Archdeacon, advisory CISO at Duo Security.
"Looking for innovative SaaS based security solutions is one way to do this which can reduce operational costs and release funds for innovation whilst providing better security and risk management. This will align the CISO with the thinking within the business and the IT department," he adds.
When asked if CISOs are equipped to take calls on significant business decisions, Tim Mackey, technical evangelist at Synopsys, says that while it is true that CISOs have heavy technical and physical security backgrounds, they have to adapt to an increasingly complex technical world where understanding business risk is imperative.
"Solving for this requires a CISO to empower teams to make correct security decisions and thereby scale the security skills within and throughout the organisation. Requiring a CISO accept approval responsibility for critical fixes only reduces their value within the organisation and reinforces the "gatekeeper" mentality associated with a culture of "no", he said.
According to Joseph Carson, chief security scientist & advisory CISO at Thycotic, organisations had been forced to bring the CISO to the boardroom in recent years due to the impact of regulations such as EU GDPR and increased cyber-attacks such as WannaCry and NotPetya. In the past, CISOs were unable to influence the board to take action due to their failure to communicate about business risks typically focusing on threats and fear.
Talking about the role of CISOs in future, he adds that CISOs need to change their approach of being very technically focused with the urgent need to be business-enablers and reduce business risks, while at the same time promoting a positive experience across the business.
CISOs need to be leaders of business risk aligned with the overall business goals of the company. They need to focus on how to enable both security and productivity of the employees, looking at everything from a service defined network.
Javvad Malik, security advocate for AlienVault, also said that the rise in CISOs' profiles is not only due to the efforts of the CISO, but also because many security components have become commoditised as many products come pre-equipped with security features.
"Cloud also has a large part to play in this, as much of the infrastructure security is taken care of, and tools are available to provide data-level security without necessarily impeding the business. External factors such as increased overall awareness of cyber-security risks, regulation, and competitors have also contributed to this," he added.