3 areas in which CISOs are becoming more proactive

I’ve spent a good amount of time speaking with CISOs over the past month and plan to write up a report about what I’m learning sometime after the RSA Security Conference.

In the meantime, it’s become crystal clear to me that CISOs are becoming more and more proactive in their jobs in a few areas, including the following:

1. Threat intelligence

In the distant past, most organizations really didn’t believe they were potential targets for cyber attacks. Yes, CISOs were responsible for building adequate defenses, but this job was seen as a purely technical endeavor. At that time, hackers were hackers — outside of Ft. Mead, few cybersecurity pros distinguished between cyber criminals and state-sponsored actors.

This attitude changed over the past few years as executives witnessed an increasing number of publicly-disclosed data breaches. When data breaches occurred, CEOs quickly phoned up the CISO to ask what happened and whether their organization was at risk.

More recently, CISOs have taken risk oversight to the next level by actively monitoring threat intelligence to better understand cyber adversaries and their tactics, techniques, and procedures (TTPs).

A CISO I spoke with stated, “I’ve really embraced the Sun Tzu quote, ‘If you know your enemy and know yourself, you need not fear the results of a hundred battles.’ My day begins by studying threat intelligence to better understand who is attacking us and why. I use this knowledge to educate the board and get them more involved in risk mitigation.” 

2. Privacy 

While privacy is closely related to security, it’s been little more than a side project for many CISOs in the past. Given the focus on GDPR (and other regulations) this is changing, however. Now, data privacy is evolving from a legal matter to an applied initiative. 

As one CISO put it, “With GDPR, the legal team needed help to operationalize privacy.  This brought more and more responsibility to CISOs since we specialize in operationalizing policy.” 

This means CISOs are spending more time working with business units to discover, classified, safeguard, and monitor sensitive data.

3. Business initiatives

As my colleague Doug Cahill likes to say, “Security is moving to the left.” In other words, organizations are building security into applications and infrastructure rather than bolting it on afterward. CISOs are at the tip of the spear here, becoming more involved in business planning and strategy. 

One CISO talked about this change as it applied to cloud computing: “Once the organization decided to move aggressively toward cloud computing, I tasked the security team with designing, testing, and building a cloud security platform that could support any future decisions on hybrid cloud technologies. Our goal was to align with and enable the business for the long-term.” 

CISOs are taking similar active roles with IoT applications, digital transformation initiatives, etc. 

Most important qualities of a CISO

As part of the annual research project conducted by ESG and the information systems security association (ISSA), 343 cybersecurity professionals were asked to identify the most important qualities of a successful CISO. (Note: I am an ESG analyst.) More than half (52 percent) said leadership skills, 43 percent said communications skills, and 35 percent said a strong relationship with business executives. Clearly, they will need these types of skills as they address changing job responsibilities and evolve from reactive to proactive CISOs.

More on my CISO research soon!