Redefining the CISO role: Why the top security job is gaining C-suite and boardroom status

Editor’s note: This article originally appeard in the Summer 2020 digital issue of CSO.

Timothy Youngblood’s responsibilities as CISO at McDonald’s Corp. are broad, influential and a lot different from what most executives like him had a few years ago.

As the fast-food giant’s chief security executive, Youngblood’s role is as much about protecting the McDonald’s brand globally as it is about facilitating and supporting business initiatives and goals. He reports to senior leadership, he has board-level visibility and accountability, and a voice in key business decisions at his company.

CSO / IDG

“Ten to 15 years ago, the CISO role was more of a unicorn role,” Youngblood says. “Few companies had CISOs or even knew what a CISO was.”

If security leadership existed, it typically reported into a vice president of infrastructure or similar role and was constricted to operational activity around things like access control, Youngblood says. These days CISOs are not only asked to report to boards, but also be on them. “Because of the headlines of the day most boards want to speak with security leadership before they talk with CIOs.”

Rapid evolution of the CISO

The CISO role is evolving rapidly because of changing expectations around data privacy and protection. Data breaches, regulatory compliance and third-party risk management have all become big concerns.

Organizations that experience data breaches can incur huge costs and brand damage. Equifax’s 2017 data breach cost the company $381 million in breach compensation. In addition, the U.S. Federal Trade Commission (FTC) forced the company to commit to spending at least $1 billion on security improvements over the next five years.

Statutes like the European Union’s (EU’s) General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are adding to the pressure by requiring organizations to implement new and far more granular controls over customer and consumer data. Data breaches resulting from vulnerabilities in the supply chain and among third parties are exposing companies to new liabilities and forcing them to respond.

CSO / IDG

CISOs are in the middle of a lot of this change and are increasingly being vested with the responsibility for building privacy risk programs and managing third party risk and vendor controls. For many, these are new domains with which they have had little experience or little prior art to draw from says Bruce Potter, CISO of Expel who served as senior technical advisor to members of President Obama’s Commission on Enhancing National Cyber Security.

“It’s a very different environment I think than what CISOs are used to,” Potter says. “In a lot of ways we are building a plane as we are going down the runaway.”

A different risk and regulatory environment

Many organizations, for instance, are finding themselves having to implement new capabilities for data mapping and tracking data flows so they can comply with GDPR and CCPA requirements that allow consumers more control over their personal data. Few have the capability because till now they weren’t required to know where individual data elements existed across the enterprise, Potter says.

Similarly, the data minimization requirements under these statutes run directly counter to the data mining and data analytics initiatives many organizations have implemented in recent years, Potter says. “You had CTOs and CIOs going out and gathering as much data as they could and putting it into data warehouses and making the business smarter,” he adds. “Nobody really thought about the privacy ramifications because there was no hammer.”

Third-party risk management and vendor control are other areas that are elevating the importance and visibility of the CISO. A good and growing chunk of a CISO’s responsibilities these days is vetting vendor products and services for their organizations. Many recent breaches have resulted from attacks exploiting vulnerabilities in partner networks and the security organization is increasingly being tasked with identifying and weeding out potential issues.

Youngblood, for instance, was very much in the middle of three recent technology acquisitions at McDonalds. “The CISO role has changed dramatically to be an arbiter of what companies it is okay to do business with,” Potter says. Some of the security organizations that he interacts with these days spend as much as 40% of their time managing third-part risk. “It puts them in line with purchasing and other things with which they were not historically aligned,” he says.

In navigating such waters, CISOs are becoming more visible and influential across the enterprise. From being confined to a largely operational and technical role, security leaders for the first time are finding themselves being invited into a broader and more influential role at a growing number of companies.

Chief security executives are getting more opportunity to influence, partner and support change across the business, says Jason Haward-Grau, former CISO of PAS Global and former chief security executive at Hungarian oil company MOL Group. “I think many CISOs across industries feel that expectation from their colleagues, peers and their own sense of personal drive.”

The changing environment is requiring CISOs to think differently about their roles. Where previously it was good enough to have operational and technical capabilities, these days CISO’s have to be able to demonstrate business acumen and show how security is creating value and opportunity.

CSO / IDG

CISOs need to be able to work with business leaders, the C-suite and the board; understand business requirements; be an enabler of new initiatives, and be an arbitrator among different business functions – for example, information technology (IT) and operational technology (OT). “CISOs now need to understand not just security, risk and compliance, but also the nuances of the potential consequences and impacts on their business, their customers and now the supplier base,” Haward-Grau says.

CISO reporting structures come into focus

The rapidly changing profile of the CISO has lent urgency to long-standing questions about reporting structures for the role. Traditionally, CISOs have reported up to the CIO, CTO or in some cases infrastructure leaders because the role has primarily been viewed as being operational and technical in nature.

CSO / IDG

Many for some time have argued that to really influence risk and drive change, the role of the CISO needs to be separated from IT because of the conflicting interests. While CIOs are typically measured against and rewarded for keeping systems up and installing new technology, CISOs are focused on protecting corporate assets and reducing the risk footprint.

In recent years there has been a movement towards separating security governance from operations. Some CISOs have begun reporting to CEOs, CFOs, COOs and even general counsels. The overwhelming majority continues to report to CIOs because of the operational expectations for the role in areas like managing network security, Youngblood says. “If those operational duties are moved to other leadership, you will start to see more of a governance and strategic focus of CISOs,” he says.

CSO / IDG

Many of the security functions that CISOs are responsible for are being integrated into the technology that organizations purchase. Most network routers and edge devices, for instance, already have integrated security capabilities and can be managed by infrastructure and operational groups, Youngblood says. Identity management similarly is becoming more turnkey, highly operational and highly repeatable and something that an infrastructure team can handle. The more CISOs can divest themselves of these responsibilities, the better than can assume a true governance role, he says.

The natural progression is for a CISO to move to more of chief information risk officer (CIRO) role that works closely with finance, strategy, operations and other groups. Expect to see policy management functions move to the CIRO role as well, Youngblood says. “We currently see this role being created more in the financial services industry but it is coming more into other industries,” he says.