The University of Newcastle, Australia

On the Role of CISO in the Digital World

Monday, 9 December 2019

As cyberattacks and threats continue to increase in sophistication and in frequency, the role of CISO has become
even more critical.

As cyberattacks and threats continue to increase in sophistication and in frequency, the role of CISO has become
even more critical. The role has a wide scope from managing enterprise risk, formulating security strategies and
policies, evaluating security practices and technologies to even overseeing the enforcement of security
mechanisms across the organization. Probably the number one priority of any CISO is to ensure alignment of
security strategies with the business goals and strategies of the organization. The organization itself may have
several core businesses and different types of operations within each business, many different partnerships and
clients, and can be distributed across different physical locations. Its infrastructures can be complex and
heterogeneous, with different types of systems and networks, various applications, cloud services and many
different equipment and devices. Given such a business and technology scenery, it is clear the role of CISO is a
challenging one.

If one looks to the past, when the role of CISO first emerged, there was often a greater emphasis on the skills
related to technology. Many CISOs came from the technical side of the spectrum. In recent years, there is a
greater tendency to employ people with a business or legal background. In fact, I am beginning to observe the
pendulum swinging much more to this side, sometimes the CISO having only business experience and not having
any technological background.

This is what has prompted me to put down my thoughts, having been in the cyber security space for many years
internationally both in industry and in senior industry advisory boards as well as in academia.
What is clear is that given that the pervasive nature of technology in business operations and decision making,
the influence that a CISO should have in an organization is becoming more important than ever. Furthermore
to achieve his or her objectives, a CISO needs to work with a range of people in the organization, in particular,
with the executives on the one hand as well as with the people from the technology side as well as with the
users on the other hand. Hence a CISO will need a range of skills – such as the ability to understand the strategies
of the various business operations of the organization, the ability to formulate security strategies and policies
that align with the business strategies, and communicate and engage with the executives as well as with the
operations people. If one were to drill down further, the formulation of security strategies requires the CISO to
have an appreciation and a technical understanding of security threats and technologies in the digital world and
how they can impact business strategies and operations of the organization. Without security knowledge, the
CISO will not be able to discharge his or her responsibilities or even properly engage and advise the executive
of necessary risk management and mitigation strategies.

In my view, for a CISO to be successful in his or her role, it requires technical AND business AND strategic
leadership as well as communication and people skills. Furthermore, the CISO also needs to be strategically
aware (continuously updating his or her knowledge in both business and technology world) to be able to deal
with dynamic changes and critical situations under time pressure. Like many senior positions, the ability to
govern by influence and adapt dynamically to situations play a significant part in the CISO role.
All this may sound obvious but in the recent times I have noticed a greater tendency for a CISO to be parachuted
from the business or legal world without any appreciation of technological issues. This is equally dangerous, as
is having someone with a technology background and no appreciation of business perspectives. One is not
better than the other. Each situation will end up in the CISO not achieving the objectives that he or she needs
to perform for the success of the organization.

In some sense, the depth and the breadth of skills needed in a CISO reflect the nature of cyber security itself. It
is important to realize that cyber security is multi-faceted involving technology, business, social and legal
aspects. It includes governance, protection of brand and reputation, third party and supply chain risk
assessment, data breach and data protection regulations as well as managing security of social media. More a
CISO is across all these different aspects, the better the CISO will be able to manage these challenges and
provide both strategic and tactical advice to the executives and the Board.

This brings us to the last issue I wish to raise which is about interactions between the CISO and the executive
and the Board. I hear often it takes a data breach or serious security incident before the CISO is asked to present
to the CEO and board of directors. CISOs should have regular discussions with the Board on – what strategies
and mechanisms the organization has in place to protect its digital assets and infrastructures? How well they
align and affect organization’s business strategies and operations? How well the organization’s customers are
protected? How is the organization prepared for the unexpected?

In particular, I believe a CISO should have regular conversations with the Board on at least these 3 broad areas:

  • Protection of digital assets and technology and their impact on the organization’s business
    - Cyber security trends and strategies and their impact on organizations businesses. What
    protections and defences the company has and their effectiveness? How are they enabling business
    operations and their growth?
    - The organization’s visibility into its digital assets and infrastructures is critical. The more visibility
    into assets, connections, network activity and vulnerabilities, the better one is able to assess and
    prioritize appropriate assets to be protected.
    - Cyber security staffing and access to experts for advice on strategies and mechanisms
  • Customers
    - Here the main focus should be one of maintaining and enhancing customers’ confidence and trust
    in terms of security and privacy. This includes privacy of customer information, how secure is the
    customer experience when access the business services, detection of abnormal behaviours
    affecting customers, as well as notifying customers when the company notices any fraud such as
    stolen credentials.
  • Response
    - This is concerned with effectiveness and preparedness of the organization’s cyber security incident
    response strategy and policies such as team trained in detecting and responding to attacks and
    breaches, who to inform and engage with when incidents occur, including executive management
    and corporate legal and communications staff, and collecting evidence and conducting forensic

Many organizations have difficulty determining how secure they need to be, how much risk they're willing to
accept, or how much they’re willing to spend to get minimise risk to an acceptable level. A critical task of a CISO
is to be able to articulate the risk appetite for the organization and then getting alignment on the agreed risk
appetite. Alignment and sign-off on risk appetite should extend across the executive team and the team should
make sure the Board understands its decisions. Such statements of guiding principles help prioritize objectives
and actions, and provide a basis for decisions. This will also provide a CISO with more convincing ways to explain
and justify his or her actions.

A CISO has to understand the risks, know the cyber landscape and trends, work with the executive and the
businesses to execute strategies and protect the cyber assets and customers, but also enable new business
opportunities to be conducted in a secure and trustworthy manner. Every organization is different and so are
their strategic priorities. A CISO’s role is to create a strategy that moulds to the organization’s needs; that way
it has the chance of working better.

Professor Vijay Varadharajan
Global Innovation Chair Professor in Cyber Security
The University of Newcastle

Related news