How to transform the role of a CISO for the digital-first economy
With any business venture, all organizations aim to minimize downside risks and maximize upside opportunities at some basic level. With the rapid transition to digital-first technologies, organizations are offering new products to improve customer experiences by delivering the value proposition of any time, any place. But with convenience often comes risk.
For instance, restaurants and retailers are enabling GPS data using third-party applications through API integrations to power location-based services. These applications elevate the user experience and maximize business profits through customized sales offers and personalized customer service experiences. But at what cost?
We all know by now the power of "keeping up" with the times and digitally enabling businesses to survive, but many organizations still do not fully comprehend the risks. Chief Information Security Officers (CISOs) play a crucial role in optimizing organizational health and security standards, while considering business prosperity.
For CISOs to be successful in their role, they must understand the opposing natures of high risk and high reward to make smart, calculated decisions for all business ventures.
The Leadership Role of CISOs in an Organization
In the traditional sense CISO 1.0, as I like to call it, plays a heedless role that does not continuously evaluate nor address the ongoing online digital threat. By taking a static approach, CISO 1.0 is not as vigilant in preventing attacks and accepts that what happens, happens. Like securing a home from within, CISO 1.0 works to ensure all doors and windows are locked, but unlike a transformed CISO, does not go the extra mile to examine the neighborhood for perceivable threats before opening the doors or windows.
The CISO 2.0, however, plays a more proactive and dynamic role by placing themselves in the shoes of customers and considering the wide range of potential threats to make more calculated and forward-thinking decisions to secure business. To truly elevate the CISO role to a leadership role within any organization, CISO professionals need to be skilled at managing uncertainty and willing to look outside the organization for opportunities to grow the business.
5 Keys Characteristics of a Proficient CISO 2.0
So, what steps do I need to take to become a proficient CISO 2.0? We must first identify the top qualifications of a strong CISO 2.0:
- CISO 2.0 is a culture builder. Businesses have still not adopted a "security first" mentality. Typically, an organization’s features and a "first-to-market" mindset is what drives application development. A successful CISO 2.0 will need to change that mentality to a "secure development" culture. Today, security is considered a roadblock by development teams -- "The security team just slows us down." Changing this mindset and culture is not easy, but it can be done with the right people, processes and tools.
- CISO 2.0 is a skillful recruiter. It’s easy for a CISO 1.0 to hire any security analyst with a degree for a particular role. However, hiring the right person is a must when it comes to today’s threat landscape. A CISO 2.0 will need to look beyond skill set and certifications, considering other traits that will make their team stronger and more agile. For example, communication, creativity and an ability to adapt at a moment’s notice are critical for security teams to succeed. These traits are hard to measure when only looking at a resume, so a CISO 2.0 will need to have a keen sense of a candidate’s drive and motivation to make sure the right hire is made.
- CISO 2.0 is a strong cross-functional program manager. Too often we see security teams on an island of their own. They have no insight into the development, QA and DevOps teams, and it’s the CISO 2.0 that will need to break down those barriers. A traditional CISO 1.0 may say to these teams, "this is how our security team works, so you need to change your processes." A better approach would be to have a full understanding of how these business units operate within the organization and work with them as an extension of their processes rather than an accessory that doesn’t fit.
- CISO 2.0 is an expert communicator. Communication cannot be overstated when it comes to a CISO 2.0. This skill is often overlooked but the ability to deliver a clear and concise vision of a "security first" culture to the executives is indispensable and can make a profound difference in the way development and security teams work together. Specifically, CISO’s should learn to tailor their vision for each particular development team, demonstrating how security can help their specific role. This can go a long way in breaking down barriers between business units.
- CISO 2.0 is a cybersecurity expert with a continuous improvement mindset to drive business. It’s easy enough for a CISO 1.0 to have processes and tools that they ride out for years. However, I can guarantee you that this is a losing proposition. Everyday threat actors are getting more creative and committed to finding holes in any organization. The truth is that yesterday’s tools and innovations cannot address today’s issues. The threat landscape changes too often. CISO 2.0’s will need to be vigilant when it comes to internal training, tools and processes to stay ahead of the latest vulnerabilities. This is a never-ending initiative and should be a seen as a motivator, not a nuisance as part of the CISO 2.0 role.
Curiosity vs. Closure, Experimentation vs. Preaching & Prosecution
Too often, CISO professionals rely on meeting compliance standards or keeping pace with competitors and confuse this tactic as fulfilling a succinct security strategy. This static methodology means that organizations will only ever be as strong or prepared as their next competitor and will never look to outpace competing security strategies.
The CISO function is unique as it is the only role in an organization to take security goals and reverse translate them into business goals. This translation requires the CISO to evolve to the critical decision maker in an organization that takes calculated risks to gain market share. Similar to enabling location-based services to meet and exceed customer and organizational demands, CISOs should consider the benefits of integrating with third-party applications and vendors, but not without considering the inherit risk that comes from opening your business to supply chain weaknesses and outside threats. Ultimately, CISOs are critical to business operations as the role will determine how effective a business is at protecting the business and critical data.
For professionals in the field looking to make the transformation to CISO 2.0, my recommendation is to be curious and experimental while also maintaining healthy and vigorous security standards and operations to keep your organization competitive, moving at optimal speed and able to meet the ever-evolving customer demands.