The CISO role continues to evolve with new tech, vulnerabilities and threats. While the landscape of what a CISO does is expanding, the good news is that the role is becoming more strategic within organizations which is not a surprise given the current state of affairs.
Information security has morphed from being an unsexy expense to a necessary capability. Without it, organizations remain woefully unprotected against the growing threats of hackers, hactivists, and hacking groups, some of which have ties to organized crime.
In fact, cyberterrorism and cyberwarfare are existential threats to every organization today, irrespective of size or industry. While cyber security will never be the core competency of most organizations – which bad actors are counting on – businesses can help themselves by having the right CISO in place.
Cyber security had humble, tactical beginnings – the firewalls, followed by IDSes, honey pots and more. As hacker tactics evolve, so must an organization’s security fabric. However, a tactical approach to cyber security has proven to be unwise.
Companies must have a cyber security strategy under which technology, processes, practices and people fall. Of course, CISOs should be set the cyber security strategy within the context of what the organization is trying to achieve as a business, what resources it has to protect itself and what the current and desired future state of cyber security are.
On the other, tactical side, are who does what and who’s responsible for what, the tools, plans and processes that bring a cyber security strategy to life.
A CISO should be a strategist with a chair at the executive table who has the people skills to work with other departments well. If so, that person is in a better position to become an enabler versus an obstacle to progress. In short, the CISO should help the business meet its strategic goals in a manner that minimizes the potential risks.