The CISO role is going through a period of transition. The number of security breaches that have occurred over the last year is unprecedented and demonstrates a need for stronger security. The improvements which organisations must make from within will stem from the CISO’s desk. This represents a shift that will require enterprises to re-examine the role of the CISO.
In most companies, the security budget is a fraction of the total IT spend, and a CISO might find him or herself reporting to a range of departments including Legal, IT, Risk Management or Finance. However, until recently, a CISO’s level of influence has rarely extended past his or her given department.
With breaches and cyber security incidents of all kinds on the rise the CISO should have the ability to affect change on par with changes implemented by the CFO, CIO and other key executives. CISOs need to have their own budgets and a line into the board of directors.
Enterprises face a new threat landscape where security challenges extend beyond a company’s perimeter firewall. Building better defence in depth with point solutions is no longer a sound strategy. To stay ahead a re-evaluation of security practices is required.
The adversary is evolving as well with organised crime and nation state actors firmly in the fray. These groups employ highly organised and technically advanced cyber attackers capable of carrying out successful attacks on pre-selected targets. The motives can vary from attacker to attacker, yet monetising stolen information or attacking an organisation for political reasons, as we saw in the case of the Sony breach, have proven to be the most common motives.
Adding to the complexity of the threat, a black market underground thrives, and experts from around the globe can anonymously buy and sell tools, data and intelligence. This market has increased the value of information that can be used in future attacks, like login credentials or PII (personally identifiable information), and has broadened the range of tenable targets.
The fact is that cyber crime isn’t going to go away anytime soon and security will continue to be a problem for the foreseeable future.
The new breed of CISO
As the person charged with combating this ever-evolving threat, the CISO plays a vital role in the success of any given organisation.
As the responsibilities of the CISO expand, the role needs to become a more strategic business function. CISOs need to become dynamic leaders, capable of bridging the gaps between technology and the boardroom. Successful CISOs will be capable of both building and training effective security teams and communicating security threats as a business risk with non-technical business leaders.
The first set of challenges every CISO must face are the shortcomings of the dated security technologies that form the foundation of almost every security program. With an entire organisations architecture to secure across a host of different areas, CISOs don’t have the luxury of focusing on a single area of risk at a time so need to cease focusing on point solutions which are narrow in scope.
Instead, they need to approach security as a holistic problem, deploying security strategies that address external threats targeting users, third-party partners, mobile applications, etc. and can be implemented enterprise wide to improve the risk profile of the organisation. This includes building programs to address external threats that impact the brand. Threats like phishing, website malware and rogue mobile apps are creating data leaks that can cause friction with users and lead to massive data breaches down the road.
The increase in attention given to information security is long overdue. With the limelight on the CISO more than ever before, individuals in this role have a unique opportunity to step up as leaders. The role is changing and with that a demand for security technology that meets modern challenges will increase. The future of information security will be defined based on the response to evolving threats and the ability of CISOs to step up as business leaders.