Over the years, the role of the CISO has evolved, but as the threat landscape intensifies – targeting both large and small enterprises – this position is rapidly garnering a strategic voice at many organizations.
Once regarded strictly as a technical position that focused on fighting the cyber fires created by malware or other advanced threats, at many organizations CISOs now sit at the table alongside the C-level executive.
According to the “2013 IBM Chief Information Security Officer Assessment,” which featured in-depth interviews with 41 professionals who hold senior security positions at their organizations, a majority of participants shared the same primary business concern as their CEO: Loss of brand reputation. The impact can be felt through negative public perception or a hit to stock prices.
What these findings indicate are that many security leaders are tasked with recognizing risk factors associated with business decisions in order to communicate the impact that incidents may have on brand reputation.
While it might be a tall order to see beyond the technical details of the position, failings result in earning credibility and trust from upstream management. The changing face of the threat landscape places a focus on thwarting attacks, but according to a recent study by Forrester Research, CISOs should really be focusing on leadership, strategic thinking, business knowledge and, most importantly, risk management.
Jay Leek, CISO at the Blackstone Group, an investment management firm headquartered in New York, believes that the role of the CISO is evolving into more of a chief information risk officer function.
“I do think that it's starting to happen right now, but it's in the beginning of its phase where it's no longer being looked at as a technical role, but more as a vital business function,” Leek said.
Others agree. The position has changed in that it's more of a business enabler, said Shukri Khader, CISO of Avon Products, an international manufacturer based in New York. He said that due to repeated breach incidents, as well as demanding and evolving regulations and privacy laws, a close partnership between the CISO and the business is “paramount” in order for them to lead the risk management discussion.
“The CISO is becoming more visible, with growing authority, accountability and increasing business impact across the organization,” Khader said.