CISOs must adapt to business-critical nature of role

KPMG UK's head of cybersecurity reflects on what it means to be a successful modern CISO, how to develop the skills required, and how the role will change in the coming years.

martin tyley kpmg uk
KPMG UK

Cybersecurity is rising to substantial importance at board level within organisations large and small, with cyber risk ranked as the number one organisational threat by global CEOs in the KPMG 2021 CEO Outlook Pulse Survey. This has seen the role of the CISO take on new significance as cybersecurity becomes ever more entwined with and vital to business success.

A growing number of CISOs are getting a direct line to the CEO and board, becoming an integral link between the boardroom, wider business, and ground-level cybersecurity function. As a result, they find themselves in a role that is moving away from the purely technical and taking on far more business-focused mechanics.

Speaking to CSO, KPMG’s head of UK cybersecurity consulting practice, Martin Tyley, reflects on the evolving role of the modern CISO, what it means to be successful, how to develop the skills required, and how the role will continue to change in the coming years.

An interesting time to be a CISO

“It’s a really interesting time to be a CISO,” he says. “It’s never been an easy role, but there was a stage when it was seen as one that just sat in technology. CISOs have been able to benefit from the growing prominence of CTOs and CIOs as technological enablers of businesses, bringing their own expertise off the back of that trend to help their organisations advance.”

Whereas the CISO was once the person who would often say no to things, the modern CISO is someone who can show that, if certain things are done, businesses can move even faster. “If you’re a CEO looking to grow an organisation, you don’t want people telling you what can’t be done because of security,” Tyley says. “Taking a different approach to conveying what’s possible has made some CEOs look at the CISO and say, ‘Actually, this person is on my side.’”

This is where CISOs start to become business enablers themselves, Tyley says, strengthened by taking ownership of aligning cybersecurity with the core needs of the organisation. “If you’re understanding the heartbeat of the organisation, then you can position your area of risk in that wider context and show empathy and understanding.”

Evolving skills of the modern CISO

The evolving role of the CISO is impacting the skills required to succeed in the job, Tyley says. Whilst a passion for and the ability to understand and adopt evolving technology will always be important, the best CISOs right now are letting go of some of those aspects to focus on how they can really benefit the organisation they sit in. “I get to listen to a lot of CISOs present, and for me, the best ones are those that talk about the organisation and put into context the reason why their role exists in the first place,” Tyley says.

Obtaining this business-aligned insight can be a journey of self-education, Tyley adds, and one that is supported by collaborating with peers across an organisation. “If you’re fortunate and not on the backfoot from day one, go and talk and listen to as many people as you can to understand what’s important and critical to them,” positioning security inline accordingly.

A modern CISO needs to be involved in a range of different forums within an organisation, and they also need to develop strong communication skill, particularly around highlighting security achievements that have helped to drive business success. “The risk a CISO has (if they are doing a good job and there aren’t many security incidents) is, if senior executives are not informed of what they are doing, they could take the view that the role isn’t actually needed,” Tyley says.

If you show an interest across the agenda, asking questions and probing in the right way because you understand organisationally where you are and what you’re trying to achieve, you’ll be given more responsibility. Effective, business-appropriate communication is therefore key for today’s CISOs, Tyley says.

CISOS must communicate with quality and professionalism

“This is about more than just words,” says Tyley. “Every type of communication you’re having has to have the quality appropriate for at least your peer group, if not more.” Whether it’s a board pack presented on a monthly or quarterly basis, a meeting, or comms across the whole organisation, looking and feeling professional, well versed, and consistent is hugely important.

“When you’re presenting on cybersecurity to a senior room, you have to assume that people are rushed and have got 100 different things on their mind that they’re trying to deal with as well,” says Tyley. From the outset, the board and senior executives are looking for you to frame what they are hearing and how it impacts the business. “If you go straight in with information like how many threats have been dealt with and how many attacks have been faced, you could lose people immediately.”

Instead, CISOs should take a funnel-like approach that outlines what the organisation is looking to achieve and how security is supporting that. This can and is having a positive impact on how boards perceive cybersecurity’s position within business, with significantly more boards understanding the organisational mechanics of security compared to five years ago, Tyley says. “I’ve seen examples of a couple of boards where an individual responsible for elements of technology, risk, and cyber has educated the board as a whole.”

Rather than there being one person that steps forward around cybersecurity and everyone else takes a step back, everyone steps up and into the conversation with different perspectives on how threats may impact the organisation based on their specialities. “So, on the really good boards,” Tyley says, “everyone is lifted in their understanding of how to engage in this area, not just one person.”

CISO role a steppingstone to other business disciplines

The role of the modern CISO is becoming so intrinsic to business success that Tyley predicts a growing trend whereby non-security specialists will see the advantage of taking on the job to develop their business understanding and progress their careers. “You see this more and more in very large organisations. Take an oil and gas organisation for example,” he says. “Almost everyone is an engineer, including the CIO, because you’ve got to be imbued with that background. You don’t want to lose those specialised people because they’ve got so much corporate memory and understanding. What I love about the change in the CISO role is seeing talented people in organisations going into the job for two or three years as a great way of learning about business risk as part of their progression.”

Although most CEOs still typically transition from CFO, more people are coming into the CISO role as part of a career portfolio, Tyley adds, with evolving business risk increasingly deemed a worthwhile knowledge area for any business leader.

Related:

Copyright © 2021 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline