On the Role of CISO in the Digital World

Monday, 9 December 2019

On the Role of CISO in the Digital World

As cyberattacks and threats continue to increase in sophistication and in frequency, the role of CISO has become even more critical. The role has a wide scope from managing enterprise risk, formulating security strategies and policies, evaluating security practices and technologies to even overseeing the enforcement of security mechanisms across the organization. Probably the number one priority of any CISO is to ensure alignment of security strategies with the business goals and strategies of the organization. The organization itself may have several core businesses and different types of operations within each business, many different partnerships and clients, and can be distributed across different physical locations. Its infrastructures can be complex and heterogeneous, with different types of systems and networks, various applications, cloud services and many different equipment and devices. Given such a business and technology scenery, it is clear the role of CISO is a challenging one.

If one looks to the past, when the role of CISO first emerged, there was often a greater emphasis on the skills related to technology. Many CISOs came from the technical side of the spectrum. In recent years, there is a greater tendency to employ people with a business or legal background. In fact, I am beginning to observe the pendulum swinging much more to this side, sometimes the CISO having only business experience and not having any technological background.

This is what has prompted me to put down my thoughts, having been in the cyber security space for many years internationally both in industry and in senior industry advisory boards as well as in academia.  What is clear is that given that the pervasive nature of technology in business operations and decision making, the influence that a CISO should have in an organization is becoming more important than ever. Furthermore, to achieve his or her objectives, a CISO needs to work with a range of people in the organization, in particular, with the executives on the one hand as well as with the people from the technology side as well as with the users on the other hand. Hence a CISO will need a range of skills – such as the ability to understand the strategies
of the various business operations of the organization, the ability to formulate security strategies and policies that align with the business strategies and communicate and engage with the executives as well as with the operations people. If one were to drill down further, the formulation of security strategies requires the CISO to have an appreciation and a technical understanding of security threats and technologies in the digital world and how they can impact business strategies and operations of the organization. Without security knowledge, the CISO will not be able to discharge his or her responsibilities or even properly engage and advise the executive of necessary risk management and mitigation strategies.

In my view, for a CISO to be successful in his or her role, it requires technical AND business AND strategic leadership as well as communication and people skills. Furthermore, the CISO also needs to be strategically aware (continuously updating his or her knowledge in both business and technology world) to be able to deal with dynamic changes and critical situations under time pressure. Like many senior positions, the ability to govern by influence and adapt dynamically to situations play a significant part in the CISO role.  All this may sound obvious but in recent times I have noticed a greater tendency for a CISO to be parachuted
from the business or legal world without any appreciation of technological issues. This is equally dangerous, as is having someone with a technology background and no appreciation of business perspectives. One is not better than the other. Each situation will end up in the CISO not achieving the objectives that he or she needs to perform for the success of the organization.

In some sense, the depth and the breadth of skills needed in a CISO reflect the nature of cyber security itself. It is important to realize that cyber security is multi-faceted involving technology, business, social and legal aspects. It includes governance, protection of brand and reputation, third party and supply chain risk assessment, data breach and data protection regulations as well as managing security of social media. More a CISO is across all these different aspects, the better the CISO will be able to manage these challenges and provide both strategic and tactical advice to the executives and the Board.

This brings us to the last issue I wish to raise which is about interactions between the CISO and the executive and the Board. I hear often it takes a data breach or serious security incident before the CISO is asked to present to the CEO and board of directors. CISOs should have regular discussions with the Board on – what strategies and mechanisms the organization has in place to protect its digital assets and infrastructures? How well they align and affect organization’s business strategies and operations? How well the organization’s customers are protected? How is the organization prepared for the unexpected?

In particular, I believe a CISO should have regular conversations with the Board on at least these 3 broad areas:

  • Protection of digital assets and technology and their impact on the organization’s business
    - Cyber security trends and strategies and their impact on organizations businesses. What protections and defences the company has and their effectiveness? How are they enabling business operations and their growth?
    - The organization’s visibility into its digital assets and infrastructures is critical. The more visibility into assets, connections, network activity and vulnerabilities, the better one is able to assess and prioritize appropriate assets to be protected.
    - Cyber security staffing and access to experts for advice on strategies and mechanisms
  • Customers
    - Here the main focus should be one of maintaining and enhancing customers’ confidence and trust in terms of security and privacy. This includes privacy of customer information, how secure is the customer experience when access the business services, detection of abnormal behaviours affecting customers, as well as notifying customers when the company notices any fraud such as stolen credentials.
  • Response
    - This is concerned with the effectiveness and preparedness of the organization’s cyber security incident response strategy and policies such as team trained in detecting and responding to attacks and breaches, who to inform and engage with when incidents occur, including executive management and corporate legal and communications staff, and collecting evidence and conducting forensic investigations.

Many organizations have difficulty determining how secure they need to be, how much risk they're willing to accept, or how much they’re willing to spend to get minimise risk to an acceptable level. A critical task of a CISO is to be able to articulate the risk appetite for the organization and then getting alignment on the agreed risk appetite. Alignment and sign-off on risk appetite should extend across the executive team and the team should make sure the Board understands its decisions. Such statements of guiding principles help prioritize objectives and actions and provide a basis for decisions. This will also provide a CISO with more convincing ways to explain and justify his or her actions.

A CISO has to understand the risks, know the cyber landscape and trends, work with the executive and the businesses to execute strategies and protect the cyber assets and customers, but also enable new business opportunities to be conducted in a secure and trustworthy manner. Every organization is different and so are their strategic priorities. A CISO’s role is to create a strategy that moulds to the organization’s needs; that way it has the chance of working better.


Professor Vijay Varadharajan
Global Innovation Chair Professor in Cyber Security
The University of Newcastle


Related news