Towards a New Profile for the CISO

A decade of firefighting has taken its toll on the CISO profession

The role of the chief information security officer (CISO) is changing. If that was ever the case, it can no longer be seen JUST as a technical role.
In some industries, it is being challenged by the world-wide tightening of regulations around privacy and the emergence of DPOs and other related roles.
Everywhere, it is being challenged by the non-stop avalanche of cyber-attacks and data breaches of the past decade, which have raised the visibility of cyber security to Board level, but at the same time have also prevented many CISOs from getting out of fire-fighting mode.
Senior executives are increasingly endorsing a “when-not-if” paradigm around cyber-attacks and are demanding fundamental change and action beyond day-to-day fire-fighting, often in exchange of very significant investments around security.
They are expecting the CISO to lead such programmes of work, but many CISOs have never been recruited or trained for such a challenge, under such level of scrutiny.
Very often, it is about addressing problems rooted in a decade of lip service or under investment around security, and it involves a true transformation of many business practices across the firm.
You don’t become a transformational leader overnight, in particular if your background, your skills and your core interests are centred around the more technical aspects of cyber security. Nothing wrong with that, and while the focus was on fire-fighting cyber-attacks all the time, those would have been valuable qualities.
But as the focus shifts towards transformation and execution, the ability to influence across silos and to understand the true nature of the business and the more transversal aspects of security, becomes paramount. Those are rarely attributes of a native technologist, and they are not attributes you develop through the constant fire-fighting of technical problems.
So parallel to the “lost decade” of cyber security and reflecting it, there is also a lost decade for the CISO profession. A lost decade during which many have hopped from job to job, collecting higher and higher salaries for their technical firefighting skills, but without encountering the terrain in which to develop true enterprise-level leadership and transformational skills.
As senior executives turn a page and we enter – possibly – an execution-dominated decade around cyber security, many CISOs are just not equipped to lead.
Let’s say this one more time: Just throwing money at cyber security problems won’t make them disappear overnight. Remediating issues rooted in a decade of adverse prioritisation by the business will cost money, but it will also require time and in many cases, relentless drive to change mindsets.
Who should do this, if the CISO can’t? … There are broadly 2 types of options:
Organisational models may need to evolve to allow a broader CSO type of role to emerge in large firms, encompassing security at large, continuity and privacy, with the CISO role retreating back to its technical roots. This would by itself attract a different calibre of individual into each role and such rebalancing of skills could be key to the success of large-scale cyber security transformation programmes.
Alternatively, the profile of the CISO needs to change to adjust to the imperatives of the “when-not-if” era:  It becomes essential to start prioritising leadership skills over technical skills and distribute roles across a structured function, instead of looking for “unicorn” profiles: Nobody can be credible on all fronts all day long from the Board down, and horizontally across all functions and geographies of the business. Those profiles don’t exist and pretending otherwise is just setting the CISO to fail.
  • Top articles, research, podcasts, webinars and more delivered to you monthly.

  • Leave a Comment
    Next Post

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    Big Data, Cloud & DevOps
    Cognitive Load Of Being On Call: 6 Tips To Address It

    If you’ve ever been on call, you’ve probably experienced the pain of being woken up at 4 a.m., unactionable alerts, alerts going to the wrong team, and other unfortunate events. But, there’s an aspect of being on call that is less talked about, but even more ubiquitous – the cognitive load. “Cognitive load” has perhaps

    5 MINUTES READ Continue Reading »
    Big Data, Cloud & DevOps
    How To Refine 360 Customer View With Next Generation Data Matching

    Knowing your customer in the digital age Want to know more about your customers? About their demographics, personal choices, and preferable buying journey? Who do you think is the best source for such insights? You’re right. The customer. But, in a fast-paced world, it is almost impossible to extract all relevant information about a customer

    4 MINUTES READ Continue Reading »
    Big Data, Cloud & DevOps
    3 Ways Businesses Can Use Cloud Computing To The Fullest

    Cloud computing is the anytime, anywhere delivery of IT services like compute, storage, networking, and application software over the internet to end-users. The underlying physical resources, as well as processes, are masked to the end-user, who accesses only the files and apps they want. Companies (usually) pay for only the cloud computing services they use,

    7 MINUTES READ Continue Reading »