IDC in conjunction with Capgemini, recently published an analysis of the modern CISO. The analysis is a combination of retrospection, current state of play and the future. With over thirty years of experience and having lived through much of what the report would cover, the approach was with a keen level of interest. Would the report match what many of us have experienced?
For many years the attitude of the cybersecurity profession reminded me of the old Cold War nickname for Andrei Gromyko, “Mr. Nyet”, (“Mr. No”). Some in our profession were viewed as business blockers and not enablers. The engagement level with the business was low. There was also a tendency to stay safely in our silo, emerging only to correct a problem and then reverting back to our domain. Having witnessed these many times in my own career, I decided early on our philosophy should be, “My job is not to say, “No”, my job is to figure out how to say, “Yes”.
Through the years, our profession has matured and changed into one that is viewed today as, “a driver of competitive advantage or differentiation” and “an enabler of business efficiency”, as the study suggests. Interestingly, when discussing the importance and perception of cybersecurity to the business, both CISOs and business executives’ views were within 1.5% on all subjects. Why is information security important to the business? Interestingly, two highest responses to the question were, “vital to the competitiveness of the products/services offered by the company” and as a, “protector of the interests of the customer”. We are no longer selling cybersecurity to executives based on asset and brand protection but selling it on business benefit.
How the role of CISO has transformed
In my first CISO role, which was for a mid-market heath insurance company in the US, the first near term goal I established was the formation of a board level Risk Committee. The chair of that committee was the General Council and a member of the Board. This gave business risk and cybersecurity the exposure that was needed. The survey concluded that over 60% of organisations have the CISO attending key board and or executive management meetings, along with over 90% of the CISOs having medium to high influence on board and management decisions. This clearly shows the CISO position has moved into a higher visibility position.
As we have seen, this has come through a noticeable transformation in perception and approach. The CISO is no longer viewed as a business blocker but as an agent of change. This has brought about a seed change from the siloed approach to engagement with the whole of the business, including the board. CISOs are now leading as entrepreneurs and innovators focusing on making the business more effective and efficient, not just security operations.
What is the next step for CISOs? Many modern businesses are concentrating on reaping the benefits of digital transformation. Unfortunately, less than a quarter of business executives see information security as a proactive enabler of digital transformation. CISOs agree, with less than a third of them regarding information security as a proactive enabler of digital transformation. CISOs must visibly participate in the transformation of business with active engagement in such areas as Cloud, IOT, Mobility, Artificial Intelligence, Machine Learning and Blockchain.
CISOs have earned a seat at the table, but they must continue to earn that place by becoming a role model for operational change. They must look for additional avenues to increase the efficiency and effectiveness of their company’s through outsourcing non-strategic elements, removing obsolete technology, making security business-as-usual, and automation and orchestration opportunities. The CISOs position has come far, the only question is where does that journey end? CEO?
Richard R. Starnes, Chief Security Strategist at Capgemini