Cybersecurity is headline consumer news. Hackers and criminals are regularly penetrating some of the most prestigious networks where the identities and credit cards of millions of ordinary citizens are stored. The ripple effect for security professionals should be sounding a tsunami horn. Security is now being discussed at the highest levels of business and government. One effect of the latest wave of hacker attacks is making ours one of the country's most sought after professions and one with a significant amount of “job security” (for the foreseeable future). On the other hand, more C-suites and boards are asking if simply hiring a chief information security officer (CISO) and a security team really solves “the security problem.” More to the point, savvy executives are asking “just what is our security problem and what kind of CISO do I need to solve it?”
Companies and CISOs who narrowly define security problems as quickly backfilling a compliance hole or responding to media hype almost inevitably have security teams that are reactive and lack vision. These companies will discover that hiring a CISO will not, by itself, fix years of delinquent security practices or make them more competitive in the marketplace.
What's more, their CISOs will learn that their jobs are not so secure in such companies, despite the generic demand for their profession. Such CISO are likely to keep their résumés polished in case their anxious executive leaders demand to know “why they aren't bulletproof yet?”
"Companies committed to protecting their systems are more likely to succeed if they also make the proper investment in a vision for making security a business enabler."
On the other hand, companies committed to protecting their systems are more likely to succeed if they also make the proper investment in a vision for making security a business enabler. The executives at these companies don't just ask about compliance. They also ask “what can our security organization bring to our corporate vision?”
This kind of vision is a paradigm shift in the approach to cybersecurity that we see more organizations taking in the face of the changing threat landscape. We see more organizations pushing back on the “compliance-only” mindset and pushing for a new direction in security. More organizations are moving away from reactive, tactical thinking and beginning to embrace the idea that they need a security program based on their corporate business objectives designed to address the breadth and depth of information risk management.
In my experience, one thing these companies have in common is a CISO who was able to educate executive leadership about what security is and what it isn't. Before sitting down with their C-team, the CISOs were also able to use an industry framework to systematically approach their company's security and risk management issues in an organized, thoughtful way. This drives them to build a security roadmap and follow it, adjusting when necessary based on the threat landscape and changing business priorities.
Consequently, this paradigm shift is opening the door to a different breed of security professional. Specifically, it's no longer enough to be a 20-year security veteran. CISOs today must also have diverse business backgrounds so they can act as cultural ambassadors for security. Knowing how to build relationships with the business, understand what other divisions need to do their jobs and finding ways to balance security risk with those needs so the company can grow is a critical skill.
In other words, successful CISOs need to master more than system security to make their companies competitive and improve their own job security.
Photo by Joseph Eddins Jr.