The changing role of the CISO

The cybersecurity head of any organisation has moved from being purely tech and reactive to someone forward-thinking and strategic. Lamont Orange looks at how to navigate the changing role of the CISO

The cybersecurity landscape has become increasingly complex over the last decade – the impact from a cyber attack has the potential to cripple an organisation’s ability to operate and could result in significant reputational and regulatory repercussions. Consequently, cybersecurity in the enterprise has ascended to become a boardroom issue. With this transition, the role of the CISO has also evolved significantly.

The rate of cyberattacks is increasing at an alarming rate – Gartner predicts that 45 per cent of organisations will experience attacks on their software supply chains by 2025. With data rapidly becoming a key commodity for businesses, particularly with the rise of generative AI, CISOs are no longer just the technologist in the room dictating how organisations should secure their IT systems. Instead, they are playing a more critical strategic role in how businesses manage this key asset, while educating fellow business leaders and implementing the tactical digital transformation plans in their own right.

As the CISO of a cybersecurity company, it is perhaps even more crucial that I drive organisational best practice and ensure we are serving as a role model for our customers. We do this by implementing cybersecurity principles such as zero trust, encouraging positive mental health in the workplace, and fostering the spirit of innovation which we have embedded into our services and demonstrated throughout our own organisation.

Supply chain security is broken – what is the next move for CISOs? Martin Tyley, head of UK cyber at KPMG, discusses how CISOs should go about fixing vulnerabilities within supply chain security

Evolving role of the CISO

The CISO has always been responsible for executing the security effort in the enterprise, developing, implementing and overseeing the strategies and policies that protect an organisation’s data and systems.

As businesses have shifted from a traditional on-premises model to the cloud, and now into the era of remote work, this responsibility has become increasingly complex. As a result of this shift, and the widespread efforts by regulators to protect individuals’ data, the role of the CISO now interacts with a greater number of operational teams, including networking and risk compliance.

The CISO now plays a crucial role of embedding cybersecurity into wider business operations. This requires a clear understanding of business objectives, and how to apply the right level of security to different policies in the organisation, as well as the ROI of those initiatives. For example, networking and security teams regularly create friction in the debate over performance and risk exposure. The CISO must be able to mediate these conversations and develop policies that meet the objectives of both teams.

Alongside this, with more robust cybersecurity tools and investment comes the need for more security-focused employees in organisations, meaning CISOs must manage ever-growing security teams – a recent ISACA survey showed that 48 per cent of security professionals report up to the CISO.

Where necessary, the CISO must have the ability to communicate the justification for stricter policies right up to the top of the enterprise. CISOs work closely with other C-suite executives to ensure the organisation’s security programme is effective, efficient and serves as a business enabler rather than a blocker. With this broadening remit, the CISO also acts as the bridge between technical and non-technical employees, with more focus on building relationships and internal trust.

In the cybersecurity industry, we are constantly talking about trust – particularly zero trust – but the modern CISO needs to build trust with colleagues to implement security policies, and also with customers to show that the organisation takes the necessary steps to protect their data.

The CISO: the enabler of innovationOne of the biggest changes has been the changing role of the CISO

Doubling down on AI

Today’s CISO must remain constantly mindful of the benefits and the threats posed by rapidly changing technologies – most recently, this has been in AI. Like any emerging technology, CISOs were initially sceptical, and even fearful of AI as a tool which could be used by malicious actors or inadvertently expose company data.

However, with AI usage on the rise – Netskope’s report shows that the use of AI applications in the enterprise rose by 22.5 per cent in May and June alone – we know that AI isn’t going away. CISOs have had to learn about the ways AI can be used by attackers in order to pre-empt, identify and respond to threats more quickly and accurately, embracing the technology by integrating AI-powered security solutions into our own systems.

AI technology has the potential to transform the workplace, where automation can be applied to a wide range of marketing, legal and HR processes. It is up to the CISO to help fellow C-suite leaders to make key decisions around how we make this transition as smooth as possible without exposing data.

From ‘machine-person’ to ‘people person’

With the role of the CISO expanding from technologist to business leader, perhaps the most radical departure has been the expectation for the CISO to connect with people as much as, if not more than, machines. The CISO must have the interpersonal skills to communicate to employees at all levels of the organisation, and the ability to tell stories has been a crucial way to reach people to help them understand what we’re trying to accomplish.

This shift is evident when we see how many successful CISOs nowadays come from a range of backgrounds and disciplines from finance, business operations and even data analytics, rather than a technical cybersecurity background. This diversity has helped CISOs to shape the role into something that is much more suited to addressing the multifaceted complexities we face in the industry today.

The CISO of the future

The ascension of cybersecurity to a boardroom issue has expanded the role of the CISO from being purely technical and reactive, to becoming strategic, risk-focused, and proactive. Now spanning multiple domains within an organisation, the CISO has become integral to an enterprise’s overall business strategy and success in an increasingly digital and interconnected world.

Lamont Orange is global CISO at cloud security company Netskope

More on the role of the CISO

How to empower your chief information security officer (CISO)Here are some of the ways that companies can empower their CISOs to excel in their ever-important position