The days when security was only important to financial services and defence organisations are long gone. With the substantial increase in data breach fines introduced by the European GDPR and the devastating operational impacts of ransomware on organisations – from local councils and retailers to oil pipelines – information security is now a major concern for organisations across all industry segments and sizes. The cost of failure can be substantial. The influential IBM Cost of a Data Breach Report 2022 put the global average cost of a ransomware breach at $4.35m, which excludes the ransom.
The war in Ukraine has intensified threat levels significantly, with governments around the world warning of an increased risk of cyber-attacks from Russia. Boards are asking more questions than ever about security and want answers in a language they can understand – profit and loss.
Many years ago, the IT Director had to add security to their responsibilities, with specialist cyber-knowledge residing with a relatively junior member of the team. This meant information security focused primarily on technical IT solutions. There were often insufficient resources to fully understand the security posture of the organisation and how to improve it. Nobody senior had the job of driving the security agenda against the operational objectives of the wider business. This legacy operating model often failed to pacify the concerns of the board.
Birth of the modern CISO
This gave birth to the modern CISO with completely different responsibilities. Steve Katz, generally regarded as the world’s first CISO, was appointed by Citicorp in the US in the mid-1990s, following a serious hack. He defined the role, believing he must understand the business and the risk it faces so he can put its requirements first.
As the CISO’s role has evolved, their key responsibility has become to articulate the security risks across the business in financial terms and demonstrate the value of improving security against competing operational demands. For example, why is a £50k piece of security software better value than recruiting another member of staff? A CISO has to make the case and be prepared to stand by their judgement.
As well as improving security, the much harder task for a CISO is to understand when and where it is acceptable to reduce security to increase business efficiency. Security is easy if you want to stop an organisation operating, but balancing security, cost and operational efficiency is a fine art that takes skill and experience.
The CISO’s role is often multi-faceted now. The explosion of investment in cyber-security technology means CISOs must keep up to date with new propositions from vendors, while at the same time supporting their own organisation’s sales function. With security a key factor when choosing a supplier, the CISO must demonstrate to prospects that their organisation is the right choice to protect business-critical services and data.
The CISO must have soft skills and business acumen
These responsibilities mean that a completely different skillset is required. The CISO needs great interpersonal skills to understand, engage and persuade other people within the business. They need effective communication skills to make their case to the board, who may have little security or IT knowledge. In addition, today’s CISO needs experience of building and retaining high-performing teams, allied to a solid understanding of finance to appreciate the value vs cost of security.
Business acumen is becoming as important, if not more important, for a CISO, as knowledge of security itself. To what degree largely depends on the size of the business. For larger organisations, it is the role or the security team to understand where the gaps are and what they need to do to address them. The CISO’s job is to explain to the board why they should release the funds so the team can implement the right solution.
In this approach, the CISO does not need to display extensive technical knowledge. It is their softer skills that are likely to provide more value to the security of the business.
For smaller to medium-sized organisations with small security teams, or even a lone CISO, technical skills will be more important. The CISO in an SME needs to have technical conversations with teams, identifying weaknesses and helping to design secure processes. They also need the same soft communication skills so they can inculcate cyber-security culture and best practice effectively across the business and to lay out their agenda to the board. This makes recruiting for a CISO at a mid-sized organisation difficult, especially now when vacancies requiring cyber-expertise are difficult to fill.
Yet whatever the size of the organisation, CISOs must now possess a good measure of business acumen. Organisations looking to recruit must accept this is no longer a nice-to-have but a mandatory requirement for the role. Once they are supported by the right team, security skills and experience can be an optional extra, however. The evolving role of the CISO means they must focus on shaping their organisation’s security posture to suit the needs of the business and the need to grow and expand revenues despite all the threats.