In years past, the Chief Information Security Officer (CISO) role focused on IT needs and internal security. Many CISOs only influenced their own departments, according to the Computer Business Review. They had to wheedle funds from within their organizations. They reported directly to CIOs or CEOs, but were not involved in any Board interaction.
Today, CISOs face changing technology developments and security requirements, as well as a growing awareness outside of IT departments that these needs are so intrinsic to the performance of any company that the CISO must be a partner in company-wide decision-making processes.
CISOs are increasingly called upon to serve as a bridge between tech rooms and the board room. Just as workplace dependence on technology increases, so does the need for buy-in at all levels to understand threats, how to mitigate them, and how to bring departments together to do so. In the coming years, we’ll see more CISOs in the board room, sitting at the table with major decision makers to ensure risk assessment and other technology needs are considered with every business move.
This also calls on CISOs to embrace more “soft skills.” Think business school instead of engineering school — the ability to translate tech-speak into broadly understood needs and goals, and the business savvy to see them implemented company-wide.
This is how security leaders themselves see their future. “The role of the CISO today now requires new skills such as business acumen, risk management, innovation, creating human networks, and building cross-organizational relationships,” writes Bill Bonney, a CISO and security analyst, on a series of LinkedIn posts.
Bonney’s dual roles highlight the other change in the CISO job description. As Katz told the magazine, “In the next five to ten years, it will become two roles – the technology expert and the information risk expert.”
Monitoring PCs and other company-issued devices, and non-company issued, has become just a part of the CISO’s role. As more of our workspace technology shifts outside of direct control–cloud data storage, third-party software contracts, employees’ own electronic devices who blur the lines between personal and business technology usage–the job description has been rewritten. The stakes are higher and the risk keeps growing, as more and more information moves online.
Mike Kalac, the CISO of Western Union, told one industry blogger:
“The most important thing to understand is not technology, it’s risk management. Security is not a binary function… we aren’t ‘secure’. We have a spectrum of risks that we will manage to the best of our abilities.”
Nothing can be 100 percent secure, he notes, and some firms will decide to accept certain risks for the sake of their specific business needs.
But making those decisions increasingly means having a trusted CISO who can navigate the management waters and the boardroom as well as they manage IT offices.