This is an article written by Jamal Elmellas, Chief Operating Officer at Focus-on-Security.
The rise of security on the corporate agenda has seen the CISO gain more visibility, but it’s a role that may be about to change. According to Gartner, cybersecurity leaders are losing control due to the distributed ecosystem, pressure to monitor the proliferation of network connections, and technically savvy employees who are now more confident to make decisions without consulting security leaders .
So where does that leave the CISO and what are his or her remit likely to be in this brave new world?
The CISO has traditionally focused on technical implementations and protecting the business from attack. They would report to the IOC, but would otherwise have little involvement at the board level. Now, the CISO is an integral part of the conversation and is often on equal footing with the CIO. But the changes identified by Gartner suggest that oversight is lost, making it difficult to control risk.
Lack of visibility was identified as the number one issue for CISO by Verizon in its 2020 report due to expanding IT infrastructure and compliance environment. He inferred that CISOs are typically the focal point for all data and cybersecurity matters from the board, shareholders, auditors, regulators and the media, but they also tend to become goats. emissaries when things go wrong.
A report on CISO stress published around the same time found that 88% were under moderate to high stress. As a result, the average occupancy time is only 26 months, resulting in rapid turnover which makes it extremely unlikely that the CISO can bring about real change given that security plans take 3, 5 or even 10 years. to materialize.
Reinvent the role
The solution to these problems is for the CISO to take a step back in order to regain control and to do so, they must be able to “designate responsibility, authority and ability,” suggests Verizon. It is this principle that Gartner has followed, reframing the CISO from breach prevention to a risk management enabler that educates the C-suite and measures and articulates risk.
Interestingly, Gartner goes on to predict that this will also lead to a shift in responsibility from the CISO to business leaders once they are sufficiently equipped to make informed risk decisions. It predicts that in four years, at least half of C-level executives will have performance-related cybersecurity goals written into their employment contracts, which can then be part of their performance-related pay.
In many ways this promises to lift the CISO out of the mud as they will no longer have to fight but can affect real and lasting change. But this will drastically change the mission because most CISOs come from a technological rather than a strategic background and are therefore more comfortable with a practical rather than a strategic approach. They usually rose through the ranks after having cut their teeth in network security, threat detection or compliance management, for example.
Going forward, CISOs will still need to identify, prioritize, and define security controls, but they will also need to align any security strategy with business strategy. It will be up to them to promote understanding and ownership of these controls by senior management so that they can assume greater responsibilities. They will also need to help HR integrate cybersecurity KPIs into employment contracts.
Ambitious cybersecurity professionals who aspire to be the CISOs of tomorrow will need to expand their skills. Today, you would expect them to have a degree in computer science, possibly a master’s degree, certifications such as CISSP and around a decade of experience, as well as a deep knowledge of security technologies and security regulations. compliance, but the focus will undoubtedly be more on business management in the future.
Leadership skills have always been an important part of the mix, but they will become crucial, emphasizing soft skills such as communication, problem solving and decision making. They will need to be much better at setting goals and designing and implementing security operating models. Finally, they will need to be politically astute and sensitive to the need to formulate a cybersecurity policy that recognizes the corporate social responsibility (CSR) of the company to protect its data, employees and customers.
It will be interesting to see how these predictions align with the Career Pathways Framework currently being developed by the UK Cyber Security Council. This aims to create a register of practitioners, similar to that of the medical and legal professions, to recognize ethical, highly qualified and experienced security practitioners and should see roles become more clearly defined with detailed job descriptions.
This is a welcome step, especially since the current shortage of cybersecurity talent means that job descriptions vary wildly. Some even ask for CISOs with penetration testing experience, as companies look to cover multiple responsibilities in one hire. As a result, CISO roles that used to take 3-6 months to fill now take much longer.
What is clear is that change is necessary and will have to come from one side or the other. Without it, the role lacks clarity and as trade networks evolve and threaten with them, the pressure will continue to mount, ultimately rendering the position untenable in its current form.
Jamal Elmellas is chief operating officer for Focus on security, the Cybersecurity Recruitment Agency, where he oversees screening and recruiting services. He previously founded and was CTO of a security consulting firm where he provided secure ICT services for government and private sector organizations. Elmellas has nearly 20 years of experience in the field and is a former CLAS consultant, certified Cisco and Checkpoint practitioner.