A new report from cyber security provider F-Secure, in conjunction with Omnisperience says that increased responsibility is creating opportunities for CISOs to become leaders of their organizations, according to Traditionally, CISOs’ roles were treated as technical roles first, with secondary importance placed on non-technical skills.
However, a series of in-depth interviews conducted for the report with CISOs in the US, UK, and other European countries, suggests that this idea is quickly becoming obsolete.
The previous 18 months have compelled CISOs to strike an effective balance between – and alignment of – technical and business skills. CISOs of companies that handle volumes of personal data as a matter of course will be acutely aware of the responsibilities that come with this.
Key findings into CISO evolving role and responsibilites:
- CISOs gave details how their role was increasingly viewed by their organization as less of an ‘internal security consultant,’ focused on the protection of the organization’s assets and people, and more as an ‘operational security officer.’ This has revealed a new challenge: peers within the organization assume CISOs have considered the needs of every department, without taking responsibility themselves to understand the implications of cyber security.
- Events of 2020 placed increased focus on business continuity planning (BCP) policies and their relation to the organization, operation and safety of the business. CISO’s also highlighted they had increased their application of business impact analysis (BIA), taking a view of the dependencies that business have on technology and then appraising the necessary security controls.
- Two-thirds of CISOs interviewed understood the increasingly important role emotional intelligence plays in helping them understand, empathize, and negotiate with people inside and outside their organization – a key requirement given their expanding responsibilities.
- And three quarters of CISOs interviewed for the report indicated that their roles have changed from a pure focus on network risk to cover every aspect of technology now being deployed, with the changes being most pronounced to CISOs working in healthcare, manufacturing, and retail.
- A large proportion of the CISOs revealed they started viewing cloud in a more positive light for both IT infrastructure and business applications – something of a must, given the surging importance of cloud to the success of many organizations.
- 71% CISO’s said they had spent time reading up on emerging (digital) technologies. One of the more interesting topics: operational technology (OT) in manufacturing industries targeted as possible attack surfaces has been a keen interest for organizations, but also supply chain evolution and communication architectures used to run a business.
- 61% of the CISOs strongly believe they need to up their business skills. Not only that; they felt they must now continually engage with others across the business, updating them on new developments and identified risks. A significant part of this engagement is to use their own skills and those of their teams, alongside potential technology in anticipating and conveying the impact on the business should it suffer a cyber incident.
“Today, CISOs are expected to understand and mitigate a wide variety of risks, and then relay that information – regardless of how technical it is – to everyone, from boards and company employees to external security professionals, regulators, and even law enforcement,” said F-Secure’s Tim Orchard, Executive Vice President, Managed Detection and Response.
Additional insights in the report include:
- Most CISOs felt secure in their position at the time they were interviewed; slightly more than a third were considering leaving their position or changing professions
- Two-thirds of interviewed CISOs spent significant amounts of time with external communities of interest, such as CISO roundtable discussions
- Regulations and privacy were increasing responsibilities for over half of interviewed CISOs
- 65% of interviewed CISOs saw themselves as critical to their business
It was clear from discussion emerging out that CISOs move to perimeter less environments is ushering in a new focus. Data, rather than assets, are the point of concentration and where CISOs are working actively to build and renew skills and knowledge.
(Image Courtesy: www.cdn.nextgov.com)