The ever-evolving role of the CISO

The dependence on IT infrastructure, increased compliance requirements and the proliferation of sensitive data are all areas of risk. And not a week goes by without there being some new breach, adversary or threat reported in the media.

Businesses are increasingly looking to their CISOs to define, implement, measure and communicate the strategies they need to both assess and manage these risks.

Over the past few years the role of the CISO, and the skills they require, have evolved. Yes, CISOs still need to be subject-matter experts – understanding the technical aspects of the threats they face and solutions they deploy – but increasingly they also need to be business strategists and communicators.

>See also: How to communicate cyber risk to the board

The appreciation of cyber-risk as another type of business risk has become much more common in many organisations, and there has been a realisation that it can’t be managed purely from within IT.

As a consequence, CISOs in many organisations now regularly report to the board and have a much broader range of influence across a business.

In many organisations, security is being considered within projects and acquisitions from the get-go – rather than as an afterthought. This requires the risk appetites and tolerances of the organisation (around IT and customer data) to be defined, communicated and managed.

Further, this requires a reframing of technical concepts into more general business language. Today a CISO’s voice needs to be heard and understood throughout an organisation for them to be successful.

Investment value

The importance of the technical side of the CISO role hasn’t diminished though, and there is continued change in both the threat landscape and the solutions available to counter adversaries.

When selecting technologies, CISOs are increasingly looking at the value an investment could bring in terms of reducing risk, rather than looking at the number of threats blocked.

The model adopted by many organisations in the past has been to deploy the latest technologies to detect and disrupt the latest threats, and then engineer process (and people) around these technologies.

In a world with a significant shortage of skilled security people, and where security automation is still in its infancy, this doesn’t necessarily get the best result.

CISOs are looking for the ‘right’ technologies that detect and disrupt the threats that matter, whilst maximising the effectiveness of their people.

>See also: C-suite and CISOs not aligned on how to combat cybercrime – study

Increasingly, CISOs are looking to build their processes around their business and their people, and are then looking to investing in technologies that streamline these processes.

This requires the CISO to have a more balanced view of internal versus external threats, capabilities and business requirements.

Measuring success

Many CISOs also now face increased scrutiny. Measuring risk and the effectiveness of their teams and processes, and then communicating the results, has become a key part of the CISO’s role.

Defining the right metrics to measure the success or failure of a security organisation, and its strengths and weaknesses, is imperative. If we know what we are good at, and what we aren’t, then we know where we need to improve.

The CISO is now a key individual within large businesses.  In today’s connected world, where businesses are ever more dependent on the security of services and data, it is the CISO’s role to create the bridge between technical threat and business risk, and thereby manage the continuous improvement of an organisation’s ability to deal with new and increasingly-advanced adversaries.


Sourced from Darren Anstee, chief security technologist, Arbor Networks

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics