This intersect of technical security and the ability to communicate its implications is the new role for CISOs as facilitators of organisational resilience.
As organisations navigate workforce changes from business, environmental and other pressures, the cyber risk landscape is forcing the evolution of the traditional role of the Chief Information Security Officer (CISO).
The change is from a technical specialist to one with an expanded strategic and business perspective, and it’s those who can best adapt to these changes who will flourish.
As we work with commercial and government organisations, we are finding that the evolutionary driver is cybersecurity’s growing importance in day-to-day business operations. Regulators are gradually uplifting the cybersecurity obligations of all stakeholders from management through to the security team, and the board must maintain informed oversight.
These pressures are resulting in a shift for CISOs from a purely technical function focused on protection, detection and remediation - to one of balancing what can be 100% secure with what the organisation needs to function.
The pressures, and consequences of failure for a CISO, have also increased. Not meeting the demands of the role can result in fines, collapsed businesses, and even damage individual CISOs’ careers.
So how can CISOs adapt to their environment and guide the organisation's resilience of their entity? In many ways it’s by developing the collegiate management skills of their operational management peers.
Change comes from within
The number of people hanging on CISOs’ every word has increased. However CEOs and other board members, and risk management professionals, are equally responsible if the organisation isn’t handling cyber risk effectively. Stakeholders need the right advice and information upon which to base their decision-making; and CISOs now have a seat at the table.
Similarly, organisations as a whole need to operate effectively: it is too simplistic to say that the most secure IT system is one that is completely air gapped, and ideally completely inaccessible to anyone. An over-abundance of caution (even if not to that extreme extent) can quickly impact business operations and as a result profits and share prices will fall.
The CISO is a key player in getting the business-security risk balance right. Over-protective security can quickly limit business opportunity, but managing cyber risk exposure with balanced business-security mitigation strategies enables an organisation to profit from its risk-management skills.
The language explosion
Perhaps the most important evolutionary trait for CISOs is the ability to communicate across disciplines. Reaching beyond an audience of IT and cybersecurity specialists is essential. The board and risk owners need to understand their exposure to risk, so they can act appropriately.
The CISO needs to help the wider business understand how to balance effective operations with an acceptable level of cybersecurity risk, maybe even considering new levers to manage emerging risks.
Effective communication now means that CISOs are required to distil technical information into formats that can guide less technical peers to determine appropriate responses to emerging risks, and support remediation actions in a systematic way. Giving the senior team a list of security controls and their relative effectiveness is less useful than explaining how the organisation’s regulatory reporting is inadequate, for example, because of a lack of visibility of controls across key third party relationships.
This intersect of technical security and the ability to communicate its implications on revenue, cost or risk, is the new role for CISOs as facilitators of organisational resilience.
It might mean mitigation of areas of non-compliance as the organisation seeks to follow best practice cybersecurity frameworks, or it might be coordinating with the management team to devise a more appropriate business process to mitigate operational risks associated with an emerging cyber security threat.
A social species
Good communication isn’t only about choosing the right language, but about understanding. As awareness of third-party risk increases, CISOs need to work with their partner and customer organisations to (i) understand the risk these organisations present so they can advise the business; and (ii) demonstrate that their own organisation is still a safe, trusted partner.
Third-party risk management depends on good data, and so CISOs need to understand what data sources will be most valuable in their mitigation efforts. For instance, an external audit of security and risk exposure will return useful information but may never dive deep enough to expose the true risk picture within an organisation.
At the other end of the scale, an in-depth internal audit could demonstrate risk exposure in minute detail but be so time-consuming and invasive that the report into the risk will be obsolete by the time it is available.
Sometimes, if the goal is simply to help prioritise and direct resources to where they’re most needed; a universally understood red-amber-green “traffic lights” system might be all that’s needed to drive activity. This is where CISOs can really bring their leadership expertise to the forefront – by understanding the stakeholder’s technical information needs, and translating the cyber security environment into a layperson’s reporting framework with clarity that can facilitate decision-making and effective ongoing operations.
In some cases, being able to prove that risk exposure is low, and that potential issues are being addressed, will be sufficient. Being able to leverage solutions that gather reliable evidence to better support security results and decision-making is the more likely way in which CISOs will enhance the organisational resilience and ongoing operation of the entity.
The challenge is making the process as simple and non-invasive as possible so companies can work with multiple partners, in both directions on the supply chain. Identifying those key data points, whether security control performance or adherence to Cyber Essentials, and automating collection and presentation so they can be shared on-demand, will make it much simpler to understand exposures, initiate a response and manage the risks they present.
A never-ending story
The CISO’s role is changing. CISOs now have “an important seat at the table” with a new focus on communication, collaboration and strategy. For some, this may require the development of a range of new skills, but it brings a much higher value to the role of the CISO as they begin to assume a focal role in day-to-day business operations.
Knowing how to communicate vital information, and how to access that information in the first place, will be critical. But if there was ever a role equipped to leverage technical and other solutions to improve productivity, information exchange, and streamline operations, it’s the role of the CISO.
Written by
Peter Woollacott
CEO and Founder, Huntsman Security