The evolution of the CISO in today’s digital economy
As the digital economy becomes ever more connected and encompasses all industries, we’re reaching a point where every company today is a technology company. Along with this transformation we have seen a commensurate explosion in the number of cyber attacks in recent years that only seems to increase in criminals’ strength, frequency and severity.
At the same time, while the title of the CISO will still exist in the years ahead, the skills required to attain and retain the title are changing quickly and current CISOs need to learn new skills beyond what they’ve historically focused on to succeed.
With digital services across nearly every industry, security has undeniably become a strategic business asset. Against this backdrop, the role of the CISO is evolving to include more than the bits-and-bytes and technical acumen that have largely defined the role in the past. CISOs must find new ways to align with the organization they work for to help solve business problems through cybersecurity.
When we think about how customers and employees interact with companies today – whether setting up a monthly subscription delivery on Amazon for household supplies or confirming a dentist appointment by responding to an automated text – it’s obvious security has to be involved at every point of contact. Consider new business models spawned by cryptocurrency, the so-called sharing economy, and easily sending and receiving money via apps on your smartphone. This is today’s landscape for CISOs, along with the mushrooming number of cyberattacks and data breaches.
As noted above, while the title of CISO will still exist in the years ahead, the skills required to attain and retain the title are changing quickly. The background of most people in security is in technology, so the traditional CISO approach reflects a certain mindset. Traditional CISOs have a technology orientation and have historically reported into a technology-focused executive. As a result, they have not needed to become fluent in financial decisions, corporate communications, contractual hurdles, staffing, and overall business strategy.
To boost their business savvy and pave the way for a true integration with the C-suite, it’s my belief that CISOs today must push themselves beyond being custodians of security technology. They must evolve to become decision makers who consider business operations, models and strategies when making security decisions.
At the same time, companies themselves must not simply deploy the latest security technology, but need to reformulate strategies to reflect the explosion of devices, data, needs of users, as well as the overall importance of security along every business juncture. A broader knowledge base is called for to ensure the best security practices are put in place. Gaining this knowledge, in addition to an MBA and broader networking, can also come in the form of rotating into different parts of the organization for a short time, such as in finance, marketing and business development.
From my vantage point, now more than ever, security is top of mind at the highest levels of enterprises today: heads of business units, the entire C-suite and boards of directors all care deeply about security because they must. The deluge of cyberattacks, revenue, profits and brands are at stake. Along with this, expectations of how security is thought of and executed within their organizations are changing. CISOs are becoming leaders, not technicians.
More and more, the reasons CISOs receive promotions have less to do with technical expertise and more with leadership skills, strategic thinking and business knowledge. This new CISO role will also have a new set of people to work with, including business and change experts, analysts, communicators and project managers. CISOs will be called upon to direct and manage people well outside the scope of technology within the organization, not just IT folks.
As the global economy comes into the digital realm, the evolution of the CISO will march alongside that transformation, with security becoming foundational to how business is done. CISOs of today can embrace this transformation and choose the side of business technology, broadening their overall business and financial acumen, or they can choose to remain ensconced in the status quo, the technical and technological legacy of IT security.
To choose the latter is to unnecessarily limit their chances and choices for career advancement going forward, and may ultimately put companies, employees and consumers at risk of the next major security breach. In today’s connected, digital world, that’s not a position any CISO would likely want to be in.