Will CISOs become obsolete in the future?
Navigating the complexities of today’s digital landscape, it's clear that cyber security can no longer be the sole accountability and responsibility of one person -- the CISO. As cyber threats evolve, becoming more frequent and sophisticated, a single individual can't feasibly manage it all. As a result, and at some point in the future, we may dare to consider that the traditional CISO role might eventually become obsolete as business units become secure-by-design.
We need to pivot. Rather than placing the weight of managing an organization's entire security on the shoulders of one person, we need to integrate cyber security throughout every layer of our operations. This means moving towards a world where every business unit and every employee in an organization understands and owns their role in maintaining cyber security.
As a CISO myself, I'll explore why, although it may feel counter-intuitive, the role of the CISO as we know it could one day be superseded, as we strive to make cyber security embedded right across our organization. The aim of a modern-day CISO should be to create an environment where cyber security isn't a siloed duty, but a collective effort. We can no longer separate our real world into physical and digital, they are blended. As such, building secure-by-design organizations everywhere is the only sustainable way forward.
The CISO evolution
Historically, the role of the CISO has been primarily reactive -- responding to threats and orchestrating remediation. However, the escalating complexity of cyber threats requires a proactive and broad-based approach that transcends traditional security boundaries. Today, many CISOs have shifted to a more proactive approach and plan security capabilities together with their IT and R&D teams. Tomorrow, security needs to be embedded into the different processes that every unit and function in the organization has, and these areas would need to be equipped to secure their processes and be responsible for them. The shift towards a more distributed responsibility for cyber security is not only necessary but inevitable.
This takes its inspiration from the 'shifting left' concept and applies not only to how we develop software code, but to all organizational processes involving security. The goal is to help different units within an organization build their own security capabilities, become self-sufficient and 'secure themselves'. This covers every facet of our operations, from how we handle financial data to how we manage personally identifiable information in HR.
To realize this, we need a new breed of security professional -- individuals who can work across the organization, collaborating with various stakeholders, and ensuring that security is intrinsic to every business function. These professionals would be more than just technicians; they would be strategists, educators, and innovators who instill a culture of security across all levels.
Not only does this approach better spread the responsibility of cyber security, but it also allows for a more dynamic response to threats. With each department understanding its role in maintaining security, threats can be identified and mitigated more quickly, and at multiple points, thus ensuring a more robust and resilient defense.
Crucially, this new approach reflects the reality of our digital age, where remote working and cloud-based infrastructure are the norm. These modern work practices necessitate a security model that is as flexible, adaptable, and broad-based as they are. It's a model that goes beyond securing the perimeter to securing the organization from within -- by every employee, in every role, at every level.
As cyber security becomes integral to all aspects of an organization, the need for a single point of responsibility diminishes. Instead, what emerges is a more resilient, more secure, and more inclusive approach to cyber security. Technical skills from specialists will continue to be in high demand -- from threat analysts within SOC teams, to pen testers and risks managers -- but, ultimately, everyone within an organization will have a role to play in this journey.
How can organizations transform the traditional role of CISOs?
To achieve this 'dream state', we need to infuse cyber security into the design of our processes and technologies. It's about taking a hard look at how we operate and making proactive adjustments to embed security. This goes beyond the digital infrastructure to include the ways we hire, vet, and train personnel. It means creating protocols where security is second nature to all users, and its principles are integrated into every decision we make, and every action we take. It's about making security a core value, not just a job title.
Of course, the journey towards this transformation will not be without its challenges. Many organizations are still in the early stages of integrating cyber security across all their operations. Moreover, the complexity of cyber threats means that traditional cyber security capabilities will likely still be necessary for the foreseeable future. That's a reality we must acknowledge even as we strive for more.
However, organizations should not shy away from aiming high. Although the industry is far from fully realizing this vision, it's a goal that's worth pursuing. The transformation won't happen overnight, but with each stride we make, we'll be building a more resilient, more secure foundation not just for our organizations, but for other organizations that are impacted by us being in their supply chain
This evolution of the CISOs role would signify that we've truly integrated cyber security into our organization's fabric. This may seem like an odd aspiration for a CISO, but it's an aspiration that embodies a sustainably secure digital society in the future. This is not just a dream, but a direction that I believe we all need to take to navigate the complexities of our digital world securely.
Photo credit: Den Rise / Shutterstock
Christine Bejerasco is Chief Information Security Officer at WithSecure.