Rise of the Chief Information Security Officer (CISO)
We are drawing to the end of the biggest biological pandemic ever experienced in our lifetime. COVID-19 has brought with it a mixed bag of results. The pandemic brought the world to its knees and resulted in an estimated 6.6 million global deaths. Thankfully, vaccines were developed quickly, with some claiming efficacy as high as 95% – though high, that still means you can become infected.
Regardless of the efficacy, the harm done to our bodies, whether from the virus or the vaccine, is conclusive and irreversible. On the other hand, because of the need for business continuity, life goes on.
The past three years have seen accelerated adoption of digital transformation initiatives, where the raw power of data transmission provided by 5G coupled with the power of storage offered by cloud computing has heralded the dawn of the metaverse.
There remains a continued emphasis on accelerating the digital era as fast as possible, rewiring the way that people live and work. This trajectory of rapid digital transformation brings with it associated cyber risks.
We are seeing ransomware evolve, for example. The latest ransomware is designed to destroy the data rather than just encrypt it. And so, as the end of the biological pandemic nears, the start of another arises – The Cyber Pandemic. Cybersecurity issues have evolved from being a business disruption to potential destruction.
Where are the risks? Who are the stakeholders involved? Why are these happening? How are we going to address these risks?
The rise of the CISO
These events are propelling one leader into the limelight – and that is the Chief Information Security Officer (CISO).
The CISO is the gatekeeper to the digital crown jewels of our organisation. They are the one making the final stand against adversaries attempting to devalue or steal our brand and data. Given the rapid digitalisation, they are the one individual in the company that carries the hope of salvation – of protecting our data.
Even though ‘data is the new oil’, CISOs are not always credited for this vital role. In fact, the CISO role didn’t officially exist 10 to 20 years ago – at least not in the form and shape it does today.
Traditionally, the CISO has always been seen as a back-office role or one filled only when there was an audit issue or a need to find an IT technician when a password didn’t work or one couldn’t access emails. They were seen and not heard, and never featured within the executive management team, let alone as a permanent agenda item in the boardroom.
But this is changing. The tide is turning in favour of the CISO – as the already volatile cyber threat landscape becomes even more disruptive in today’s fragmented global community. Events of the past few years have ripped up the fairytale of globalisation, the global village, and best sourcing.
Today’s existential needs have positioned the CISO to finally be recognised as an equal in the executive management team and make cyber a top concern at board level. As an attack can be launched on any organisation from any part of the world, defence is almost futile.
This amplified threat gave rise to many new concepts, but what all the grand-sounding terminology boils down to is simply going back to basics. To address the cybersecurity challenges of the future, we must simply focus on the most important thing – protecting the assets.
In order to protect these assets, we must first identify them, then find the best method for protection, which often means eliminating any risk posed to them.
The other key focus is the language of risk. A risk-based approach to protecting assets is the most fundamental business language used between the technical leadership of the CISO and the rest of the executive management team and the board.
The language of risk is what allows the CISO to be finally accepted as a fellow executive and not just a techie talking ‘mumbo-jumbo’ about pointers, ports, vulnerabilities, zero day and firewall rules.
A cyber leader’s KPIs are no longer judged by the number of firewalls in place, but the value of the assets that they are entrusted to protect. Given the rise of digitalisation, it is likely that they are largely involved in the trust of the company’s survival, as more than 90% of the company’s assets are likely already digitalised.
Risk owners, accountability and ownership can finally be clarified and a clear reporting structure established in a governance structure that is built upon risk and compliance.
The CISO of tomorrow will be in a unique position – one at the junction of technical leadership and business leadership, providing cybersecurity as an important asset and playing the role of a business enabler.
Cybersecurity is no longer merely a utility – it is going to be a critical feature that provides a competitive advantage and business sustainability.
At the same time, as a technical leader, the CISO needs to harness the vast potential of emerging technologies, using technology as a multiplier to address the shortage of cybersecurity talents.
Automation and robotics are going to be the tools of tomorrow, where each CISO will have an AI assistant providing them with proactive alerts and also supporting them with recommendations during their daily operations or annual strategic business.
By then, we will truly have arrived at the age of the CISO.