Cybersecurity has moved over the years from an afterthought to a primary focus of nearly every organization. The causes are well understood: the embrace of digital platforms for the speed, efficiency, and services they make possible; the vulnerabilities that come with that embrace; and an increasingly large and sophisticated group of cybercriminals who can make millions by exploiting those vulnerabilities.
Consequently, organizations have had to strike a new balance between business goals and security. Emphasizing one over the other can have disastrous consequences, either by hampering operations and the revenue they generate or suffering a breach and the loss of not only revenue, but also reputation (to say nothing of the costs from stakeholder lawsuits).
These new corporate concerns have affected the role of the Chief Information Security Officer.
On the one hand, the CISO has more responsibility than ever to prevent breaches. On the other hand, there’s a growing recognition that true security is a company-wide effort and confining security issues to technical considerations is a dated idea at best. As has been our refrain in these articles, security is a matter of people, processes, and technology. The successful CISO knows how to coral these forces throughout the organization to keep it secure while keeping operations running smoothly.
But there’s far from a united view across corporations on the role of a CISO and the CISO’s ranking in the company hierarchy. While each company must decide how best to align its people and positions, it can be illuminating for anyone with security responsibilities to understand the CISO’s changing role and the shifting dynamics that are driving that change.
The Historical Role of CISOs
In the greater scheme of things, the position of Chief Information Security Officer is relatively new, dating back to the 1990s and the first cybersecurity breaches. Chief Information Officers had been around longer, but not much. Only when IBM introduced its personal computer in 1981, and the era of information technology dawned, did it seem necessary to create the position of CIO. By contrast, the title Chief Executive Officer has existed since the early 1900s, necessitated as companies shifted to mass production and the larger scale of business that resulted.
The CIO had ranked above the CISO because in the 1990s, information security was still a nascent idea. After all, most information was stored on-premise and shared internally. In fact, a report by the Security Transformation Research Foundation and Corix Partners[1] on the role of the CISO doesn’t even begin the historical trend line until 2002. This initial phase – lasting until 2009 – was labeled the “Compliance Decade” by the authors of the report. CISOs were concerned primarily with meeting whatever requirements were imposed on their industry, either by an association or set of laws. Such regulations included the landmark legislations of the Health Insurance Portability and Accountability Act (HIPAA), the Financial Services Modernization Act, and the Homeland Security Act, among others. The CISO’s focus was on keeping the organization from doing anything that would run afoul of the authorities.
In the era that followed – 2010-2019 – CISOs worried not just about regulators but the threat actors who were becoming more than an occasional nuisance. The Security Transformation Research Foundation described this as the “Firefighter Decade,” a time when CISOs and their teams scrambled to put out one cybercrime blaze after another. This reactive mode is one that we have discussed as one of the earlier stages of the cybersecurity readiness maturity model, to be superseded by those stages in which the security team gets ahead of threats before they occur.
“More than ever, this is about culture and governance, not just technology,” the report by the Security Transformation Research Foundation said.
The research foundation calls the current CISO era, starting in 2020, the “Era of the Transformational Leader.” In this era, the CISO moves from a reactive, technical role to a more prominent, cross-company leadership status. Cyberattacks are no longer seen as something that might or might not affect a company. Instead they’re seen as inevitable — and the question is when, not if, they’ll occur. Consequently, the entire organization has to be prepared for a breach, allowing modifications of operations to accommodate such preparations, and supporting the quick reaction needed to minimize damage.
“More than ever, this is about culture and governance, not just technology,” the report by the Security Transformation Research Foundation said.
Ideals and Realities About the CISO Role
A panel of commentators on Security Weekly recently weighed in[2] on what CISOs need to do to fully prepare for their new role as corporate leaders. The panelists – all experienced cybersecurity leaders – reviewed the article and added that an effective CISO needs to thoroughly understand the various functions of a corporation. That requires, for example, digging deep into the way the finance department or human resources department operate so that the CISO can identify risks in the process. How might the company be vulnerable as HR executes the 401(k) contributions made by employees?
By digging into those details, the CISO both identifies potential risk areas, but also builds a connection with other leaders by understanding their concerns and speaking in their language, the Security Weekly panelists said. To be a transformative leader, the CISO must have the trust of the other executives in the organization.
But the reality is that most CISOs are not at the top level of their companies and may have less authority to act upon their transformative ideas than they may wish. A 2021 survey of CISOs conducted by IANS Research and Artico Search[3] showed that 69 percent reported to a technical leader – either a CTO or a CIO. Only 18 percent reported directly to the CEO. The remainder reported to a chief risk officer, CFO, or general counsel. In fact, that 69 percent figure is up slightly from 2020, when 66 percent of CISOs said they reported to a technical leader.
The SEC’s Potential Effect on the CISO Role: CISOs on the Board
One of the most important drivers in the change of the CISO position comes from the Securities and Exchange Commission (SEC). As described recently in an article by the insurance brokerage and consulting firm Woodruff Sawyer[4], the SEC believes that public companies have not been as forthcoming in their corporate filings with the commission as they should be regarding cybersecurity incidents. That means that shareholders are not as aware as the agency thinks they should be regarding dangers that could affect the value of a given company.
Therefore, the SEC is proposing new rules that not only would require public companies to disclose “material” cybersecurity incidents in a timely fashion, but also beef up the cybersecurity responsibilities and expertise of the board of directors itself.
To show that at least one of the board directors can be considered an expert in cybersecurity, the SEC suggests several criteria to consider, including:
- Whether the director has prior work experience in cybersecurity
- Whether the director has a certificate or degree in cybersecurity
- Whether the director has knowledge, skills, or other background in cybersecurity
Of course, simply tightening cybersecurity reporting requirements and having a board member with cybersecurity expertise isn’t enough to achieve the SEC’s objective. Its proposed rules also would require management to describe its role in cybersecurity with such information as:
- Whether certain management positions or committees are responsible for measuring and managing cybersecurity risk
- Whether the company has a designated Chief Security Officer and to whom that person reports in the company’s organizational chart
- Whether and how often the management committee or CISO officer reports to the board of directors or a committee of the board of directors on cybersecurity risk
These rules are still in the proposed state, but the idea that the SEC should require a board of directors to have certain skill sets is not unprecedented. The Sarbanes-Oxley Act of 2002 spurred the SEC to require companies to have board members with financial expertise to fulfill the mission of the new law — namely, that the financial status of a public company must be fully disclosed in agency filings.
These proposed rules highlight the greater concern that federal authorities have shown recently regarding the cybersecurity preparedness of American corporations. Attendees at RSA Conference 2022 in San Francisco noted that for the first time, the Federal Bureau of Investigation (FBI), National Security Agency (NSA) and Cybersecurity and Infrastructure Agency (CISA) all were staffing booths at the convention.
The potential upshot of the SEC rule change would be to elevate the visibility of the CISO to board level. By 2025, Gartner predicts that at least 40% of boards will have a dedicated cybersecurity committee overseen by a qualified member of the board. After all, if boards are going to be held responsible for a corporation’s cybersecurity practices like vulnerability management and vulnerability prioritization, the board members will need someone from the executive team to keep them fully informed.
Recommendations by Other Experts
“With IT leading the way for information security, it made sense that the senior security professional came from the IT department. We are at a crossroads today where we need to move security out from under IT and treat it as a business risk rather than a technical problem.”
Many industry insiders also advocate for CISOs to gain status in their organizations. The writers of the publication Security Intelligence contended in a recent article[5] that CISOs should report directly to the CEO or another C-suite executive. It was logical for the CISO to report to a CIO or CTO initially, the publication’s writers said, because the job required focusing primarily on the technology needed to protect the organization.
“With IT leading the way for information security, it made sense that the senior security professional came from the IT department. We are at a crossroads today where we need to move security out from under IT and treat it as a business risk rather than a technical problem.”
Why? Because CISOs need significant resources to prioritize and remediate vulnerabilities and fight off breaches, and breaches have public relations, human resources, and legal implications. But a CISO reporting to a CIO may be denied those resources because they’ll hurt short-term profitability, which may affect the CIO’s compensation. If a breach does occur, the CIO may treat the CISO as the “fall guy” to avoid blame. The Security Intelligence writers cited an excerpt from “The Coming Cyber War: What Executives, the Board and You Should Know” to underline the point:
“’Cyber Security is an enterprise-wide risk management issue — there is no backing away anytime soon from this reality.’ Moving the CISO into alignment with the rest of the C-suite allows business risk drivers to inform security decisions. Providing CISOs with proper authority and alignment with other C-suite executives empowers organizations and enhances cybersecurity resilience.”
The former CIO of McAfee, Scott Howitt, has an interesting alternative: the CIO and CISO should team up and share power[6]. Howitt (currently Chief Digital Officer at UKG) had been a CISO previously, and for a short while, his role as a CISO elevated him above the CIO. He reported directly to the CEO while the CIO reported to the COO. And CIOs were finding their function further subdivided into other technical roles: the Digital Business Officer, a Chief Innovation Officer, and a Chief Data Officer among them. This phase occurred as boards first gained awareness of cybersecurity issues and provided significant resources to leadership to fight cyberthreats.
That changed as cybersecurity budgets were trimmed but expectations on both the CISO and CIO remained high. In Howitt’s view – as shared in a presentation to the Quartz Network – this presents an opportunity for the CIO and CISO to benefit from one another. The CIO can tap into CISO’s technical knowledge, which is likely to be more up to date because “the CISO doesn’t have the luxury of not understanding, being able to ignore certain technological advancements. They have to understand all technology and how to secure it.”
At the same time, the CIO may have a better understanding of budgets, business priorities and business partnerships than the CISO. Teaming up, the two can help each other meet their objectives and balance the need for security as well as business results.
The roles of the past and the separation of functions has to be rethought for the CIO and CISO to succeed, Howitt says. “The best way to predict the future is to invent it. You can’t always wait for perfection to happen.”
The SEC’s Potential Effect on the Board
The SEC’s proposed requirements resonate past the role of CISO and throughout the board itself. Boards will, understandably, need to adapt to the reality of cyber risk and the impact it has on the business as something that is neither likely to go away nor become more predictable as attacks continue to grow more sophisticated and as more vulnerabilities are introduced.
This isn’t necessarily wholly negative. The new attention from the board on cybersecurity obviously ensures business continuity and delivers ownership of cyber risk. But it also means that cybersecurity programs – notoriously underfunded and understaffed – now have an advocate in the room as budgets are discussed and decided.
The challenge for standing board members, as well as CISOs or CIOs coming in, is surpassing the technical language barrier. Cybersecurity experts tapped to inform boards must find a way to communicate and report effectively to the board in language that makes sense. The metrics and insights typically used to demonstrate effectiveness – or lack thereof – of security programs must be adjusted to the new, nontechnical audience.
Suggestions for CISOs
We at NopSec don’t presume to know what individual CISOs should do within their organizations to balance security and business needs. That will be largely dependent on the structure of each company, the other people involved, and the managerial styles of the C-suite and board of directors. We do believe, however, that CISOs should be cognizant of the way their role has changed over the years and the different skills required to assume a more strategic, company-wide leadership position.
Going forward, CISOs involved with the board will need to be able to translate technical metrics and insights into language that resonates with non-technical board members. Now CISOs will need to focus less on their technical knowledge and more on their expertise in business risk — and be able to communicate that across the board and other leadership levels.
Our purpose is to bring cybersecurity professionals the latest thinking about the field, as well as provide a set of tools that can make their jobs easier to execute. We invite you to familiarize yourself with our advanced cyber threat and exposure management platform – United VRM – and how it can help you and your team mitigate the risks that matter.
[1] “Cyber Security: A Look Across Two Decades,” The Security Transformation Research Foundation and Corix Partners, 2019.
[2] Security Weekly podcast, Episode 265, June 13, 2022, panelists Matt Alderman, Jason Albuquerque, and Bill Brenner
[3] “Benchmark Insights: 2021 State of the CISO Report,” IANS and Artico, released April 2022
[4] “The SEC’s New Proposed Cybersecurity Disclosures: Next Steps for Boards of Directors,” Priya Cherian Huskins, Woodruff Sawyer, May 25, 2022
[5] “Why CISOs Shouldn’t Report to CIOs in the C-Suite,” Dec. 21, 2021, Security Intelligence Staff, Security Intelligence
[6] “Balancing the Tug of War: How CIOs and CISOs Can Partner for Better IT,” Scott Howitt, Quartz Network presentation, 2021