Redefining the CISO role: Why the top security job is gaining C-suite and boardroom status

Breach concerns, data privacy regulations, and a move to separate security from IT are elevating the importance of the security role.

CSO Digital Magazine  >  Summer 2020 [cover]
IDG / Brian Stauffer

Editor's note: This article originally appeard in the Summer 2020 digital issue of CSO.

Timothy Youngblood's responsibilities as CISO at McDonald's Corp. are broad, influential and a lot different from what most executives like him had a few years ago.

As the fast-food giant's chief security executive, Youngblood's role is as much about protecting the McDonald's brand globally as it is about facilitating and supporting business initiatives and goals. He reports to senior leadership, he has board-level visibility and accountability, and a voice in key business decisions at his company.

Quote  >  Timothy Youngblood, CISO, McDonald’s Corp. CSO / IDG

"Ten to 15 years ago, the CISO role was more of a unicorn role," Youngblood says. "Few companies had CISOs or even knew what a CISO was."

If security leadership existed, it typically reported into a vice president of infrastructure or similar role and was constricted to operational activity around things like access control, Youngblood says. These days CISOs are not only asked to report to boards, but also be on them. "Because of the headlines of the day most boards want to speak with security leadership before they talk with CIOs."

Rapid evolution of the CISO

The CISO role is evolving rapidly because of changing expectations around data privacy and protection. Data breaches, regulatory compliance and third-party risk management have all become big concerns.

Organizations that experience data breaches can incur huge costs and brand damage. Equifax's 2017 data breach cost the company $381 million in breach compensation. In addition, the U.S. Federal Trade Commission (FTC) forced the company to commit to spending at least $1 billion on security improvements over the next five years.

To continue reading this article register now

The 10 most powerful cybersecurity companies