Tomorrow’s Chief Information Security Officer
The future CISO is a forward-thinking IT business leader with deep exposure to the C-Suite and Board. They are security guardians – prescient and proactive in cyber risk management – and highly strategic at adapting, preventing, and responding to cyber risk threats. Further, they convey these threats through metricated data to protect an organisation’s finances, assets, brand and customers.
While the cyber security function has been around for decades, only more recently has it gained traction as a core leadership position in Australia. In the past 18 months, CISO appointments within the ASX100 has seen unprecedented growth. AGL, ANZ, Qantas, Telstra, Tabcorp, National Australia Bank, Commonwealth Bank of Australia, REA Group and Medibank, to name just a few – all have appointed CISOs. In many instances, these were ‘first-time’ appointments for the company in question.
Why is this occurring? The growth in data-centric business management is a clear catalyst. Beyond data, modern shareholders have an increased awareness of data breaches, and their bottom line impacts. The numbers speak for themselves. Yahoo: an estimated $350 million cost in 2016. Target & eBay: an estimated $100 million+ losses, in 2013 and 2014 respectively. And most recently, Uber: a yet unspecified dollar-value from the hacking of 52 million users’ data including customer names, email addresses, and mobile phone numbers, as well as the names and licence numbers of many drivers.
How does the future CISO adapt to theses breaches? What skills and attributes must they bring to ensure security protection in rapidly evolving data-driven corporate landscapes?
The future CISO will need to be prepared to take on more responsibility as breaches will only grow in complexity and magnitude. To meet the future the CISO will need to be a thought leader, always updating their understanding of the avenue available for cyber threats. Today, this is Blockchain, the Internet of Things and Cloud Computing. Tomorrow? The future CISO knows.
Board & C-Suite Upskilling
CISO’s are emerging from traditional technologists into highly qualified business leaders. Nowhere is this more evident than the role they increasingly fulfil to the Board of Directors. With many Directors trained and educated prior to the digital era – in some cases, prior to personal computing – CISO’s are required to forge linkages between generations. Technical expertise is not enough to bridge this gap. Modern Directors are expected to provide oversight across matters beyond the confines of their executive careers. This includes information security. CISO’s must develop key Board relationships, referencing cyber risks against a complex business to an audience confronted by the need to learn about threats that did not exist a decade ago.
Cyber security has struggled to compete for investment. Few people outside technology truly understood the work of the CISO, and many do not understand the dollar-value of risk prevention and protecting against cyber threats. This is changing and the key is to quantify. Yet even here, it is not enough to simply quote the number of cyber threats prevented, and dashboard figures on bottom-line savings. The future CISO will use and analyse this data, certainly, but they will ‘sell’ these metrics to their peers, the C-Suite and Board, to ensure effective impact.
Where the CISO sits functionally within a large corporate is varied. While the majority of CISOs sit in the technology team reporting into the Chief Information Officer, some organisations find different structures appealing for pragmatic reasons. Many mature IT security functions organisations have the CISO reporting to either the Chief Compliance Officer, the Chief Executive Officer, or in some cases even the Chair of the Board Risk Committee. Regardless of where the CISO sits, one thing is clear: the CISO requires the crucial ability to adapt across fluid functional settings.
Commercially Astute & Aware
As well as technical expertise, tomorrow’s CISO will bring commercial acumen in combating threats to an organisation. By establishing and managing a holistic information security risk process, the future CISO will always look to protect core company assets. They will understand the financial impact of security threats, and prioritise security threats for the best commercial and regulatory compliance outcome.
Tomorrow’s CISO will always employ cyber security best practice. Not only will they develop the company’s information security standards and policies and oversee risk management training for all, they will also keep key stakeholders, including shareholders, continuously apprised of the company’s information security status.
They will also be vigilant in monitoring the environment for emerging threats and advising stakeholders on the appropriate action. They own the disaster recovery and business continuity plans related to IT, and protects the company’s intellectual property, regulated data, and reputation.
To invigorate the future CISOs impact on an organisation, they will build a robust technical team, and ensure a strong security posture through relationships with cybersecurity professionals and external agencies around the globe. They will comply with regulations, including those governing private-public partnerships, and have one-call access to the defence community and international intelligence agencies.
While the rise of the data-driven economy has continued to provide next-level growth opportunities, it has also fuelled a rise in regulatory, customer, and shareholder scrutiny on the appropriate and secure management of such data. Data breaches of the past have shown the seriousness of data protection and Boards are continuing to understand the dollar-value of such breaches.
As such, we contend that the CISO will rise to new levels of awareness, accountability, and, in most corporate landscapes, profile. Through proactive frameworks and future-proofing, tomorrow’s CISO will be more respected, visible and commercial than their predecessors, and a key business leader of the future.