Despite big responsibilities compounded by a string of headline-grabbing data breaches, the skies are looking brighter for CISOs.
No, the challenges haven't gotten more manageable.
The CISO is still charged with enabling their organizations to share information more broadly, while ensuring that critical business information is protected. Employees may be getting a better understanding of cyber risk, but quite often CISO's pleas for them to work more safely – changing passwords, refraining from clicking on suspicious links, and accessing only what they should – still fall on deaf ears. And of course, the CISO does not control the actions, environment or management of the partners and customers who access the organization's data every day.
But now, as a direct result of disasters like the eBay and Target breaches, the stakes of data security are becoming painfully clear to the CEO, board of directors and other senior executives. The CISO is still the CISO, but suddenly, the job offers new opportunities to wield real influence.
How we got here
Target and eBay have illustrated that a breach puts a company's entire business at risk. After cyber criminals gained access to information for as many as 110 million Target customers, the media had a field day, customers voted with their feet and sales plummeted, and Target's stock price and brand suffered. Next, eBay lost the trust of many customers by taking weeks to report a breach that happened months before it was discovered.
As a result, cybersecurity risk is now prominent on the agenda of senior business leaders and in boardrooms. Directors rated it the fourth most important risk to be managed, in a recent EisnerAmper survey. And the top three risks – financial, reputational and regulatory compliance risk – hinge on cybersecurity as well.
In other words, the CISO has new clout at the power table. This is good news for CISOs who have not always been given the authority commensurate with their responsibilities. As recently as March, there was a distinct sense of futility among American IT executives. In a recent Courion survey, while 95 percent of respondents' IT security teams considered breach prevention a serious issue, they believed only 45 percent of the employee base felt the same.
Courion's UK survey found similar lack of employee commitment to data security practices:
- 39 percent of people shared work login details with colleagues despite regular warnings about protecting passwords.
- A third (33 percent) of UK professionals said they'd consider accessing a previous employer's data to help them with a new job.
- 21 percent of UK professionals said they'd snoop on sensitive personal data if they had access to it.
But the ship is turning. CISOs are beginning to be viewed as the business leaders they need to be, with the required juice to affect employee behavior and enterprise-wide processes.
A familiar evolution trajectory
With respect, however, comes even more responsibility. As the rest of the C-suite has begun to acknowledge that information security is a truly strategic consideration, CISOs have been required to adopt – and clearly communicate – a broader vision of the business.
CISOs are going through a similar transformation in their job descriptions that CIOs did a few years ago. They're evolving from isolated technocrats to business strategists. Enterprises face the opportunity and competitive challenge to expand digitally with an increasing understanding of cyber risk, and, they look to the CISO to help them strike the right balance between making the business more accessible and more protected.
In today's world, the value of an activist, business-focused CISO is skyrocketing. The evolution from corporate police officer to corporate enabler is proceeding rapidly. CISOs are in position to lead more meaningful conversations about the trade-offs of accessibility and security, about risk and business value. And they are getting the license to execute the strategies for which they had not been able to gain business buy-in for in prior years.
It's not just CISOs who are changing. Senior business executives increasingly understand the opportunities and risks of the 21st century's “access explosion.” They understand that if they dismiss the CISO's information security proposals as “insurance” whose purchase can be delayed until next year it could lead to their organizations and their personal peril.
Not all organizations and not all CISOs are there yet. But now is the time to make your move. Let's collectively take a deep breath and affirm information risk management as a truly strategic issue. Let's be fearless communicators and make bold cases for sustainable security cultures in our organizations.If a CISO preaches anything today, it should be that the balance of risk and reward is the goal of IT security – and that IT security isn't a department; rather, it's an enterprise-wide team in which everyone is security aware and responds to risks appropriately anytime, anywhere.