A lot has changed since the early years, when enterprises first began embracing the CISO position. Back then, the CISO role was primarily a technical one: control user access, secure the databases, find and patch vulnerabilities, keep the malware out, and eventually to help build secure websites and eCommerce platforms. In those days, most of the highly proprietary data resided within the local area network, the data center, or within PCs and notebooks.
We didn’t know it then, but information security was a more straightforward technical challenge than it is today.
One of the things that dramatically changed the role of the CISO at first was the rise of privacy laws such as GLBA and HIPAA, which required the first waves of regulatory compliance efforts, reports, and the ability to show that security privacy compliance measures were in place to outsiders.
Today, the CISO plays a more central role in helping to guide enterprise risk management, governance, and regulatory compliance, in addition to all of the traditional technical security functions.
No easy task, to be sure.
The shifting threat landscape
The very natures of the threats CISOs fight have also dramatically changed. At one time, skilled adversaries were far fewer - and still fewer attackers were motivated by criminal profit. The financial gain wasn’t yet readily apparent, or so easily had. But that would change and criminals would take notice.
Take a look at some of the most recent and damaging security breaches in Taylor Armerding’s The 15 worst data security breaches of the 21st Century. There, he looks at many, but not all, of the significant breaches that struck retailers, tech companies, financial services, entertainment providers and more in the past decade and a half.
And few would doubt that “security breaches at companies like Target and Neiman Marcus have placed [CISOs] these professionals on the front line of defense - and generated significant attention from the C-suite and boardroom,” as Matt Comyns, global co-head of the cybersecurity practice at Russell Reynolds Associates said inside this question and answer article, Inside the changing role of the CISO.
There is no doubt about it: Enterprises and governments everywhere now know that if they are going to succeed in the years ahead, they are going to have to do so by ensuring that their data and applications and information systems are resilient and secure. But just as threats have changed, so has the nature of the business-technology systems they defend.
From virtualization to public, private and hybrid cloud architectures, cloud and web-centric applications, to the speed and agility with DevOps as well as the continuous integration and continuous delivery pipelines, the systems enterprises build and how they build them is changing so very rapidly.
And it’s not just the type of, and how enterprise business-technology systems are built, but also where all the data are going. Not only is data traveling on more mobile devices, but enterprise networks are being extended now to the physical world, with the Internet of Things (IoT). And these networked systems will be managing automated building systems, fleets of trucks and autos, factory equipment, industrial SCADA systems, and more. This will profoundly change what is at stake when breaches are successful.
The future role of the CISO
While the CISO has been proven to help improve organizational security and improve the outcomes when security breaches do occur, it doesn’t mean that the value of the CISO can be taken for granted. Broadly speaking, CISOs often report that they have a tough time communicating this to business leadership, whether that is the owner, the board, the CIO or the CFO.
This is why it’s crucial that, to succeed, CISOs need to master how to communicate the value of their information security and risk management program to the business. And as attackers and business-technology systems continue to evolve in numbers and sophistication and regulatory mandates grow more intense – successfully meeting the information security challenge is just going to grow harder in the years ahead.
To help you, we’ve put together this guide that focuses on CISO career and leadership success, which we will regularly update, to keep CISOs informed about what they need to know in order to succeed.
Three questions security leaders need to ask the executives and board in the wake of Amy Pascal’s departure.
As we work to adjust our bias for breach prevention, the real concern is how the response is handled. Some steps to help ensure you get it right.
What skills, background and education does a security executive need if they want their career to evolve?
Matt Comyns, global co-head of the cybersecurity practice at Russell Reynolds Associates, talks with CIO.com about the challenges, opportunities and changing role of today's Chief Information Security Officer.
Leaders need to assess and prepare for the security impact of key people leaving the organization while making it better for those who stay.
More CISOs are embracing new career paths within the industry.
A CISO lives a precarious life. A head hunter once told me that the average CISO at large corporations lasts about 18 months before being fired or replaced. That's because he or she faces two kinds of threats in the jungle of business -- ants and elephants.
Paul Groce, Global Head of CIO/Technology Operations for executive search firm CTPartners, says the CISO role has evolved beyond the scope of one position in recent years.
Cloud Security Alliance co-founder and former Zynga CSO Nils Puhlmann reflects on what he's learned and explains why he thinks the industry needs more pioneers.