"It used to be that CISOs were over-glorified IT security administrators, babysitting the firewalls, arguing with software vendors over botched antivirus signature updates and cleaning spyware off of infected laptops. True, that's still the role some CISOs find themselves in, but for the majority the responsibility has shifted to looking at the big picture and designing the program that balances acceptable risks against the unacceptable," wrote Bill Brenner in a piece titled: The New CISO: How the Role Has Changed in Five Years.
That was six years ago.
Five years before that, Gartner published its own view of the CISO's evolving role with an eye toward the future, citing the same responsibility shifts Brenner observed.
For at least 11 years, then, there's been talk of the CISO's rapid evolution. From Gary Hayslip's (relatively) recent assertion that CISOs allow for "operational resilience" to the Forbes Technology Council's predictions that CISOs will become even more deeply involved in business decisions over the next five years ("These executives understand both the business and technology constraints, and bring something unique to the table," writes Ashley Saddul of Recruiter.com), it's become painfully evident that industry leaders believe the CISO role has and will change with respect to strategic business involvement, especially in regard to risk assessment.
Recommended Read: Should You Hire a Virtual CISO?
And there's no doubt the threat environment has changed — and continues to do so — in immeasurable ways. In fact, it's evolved so rapidly and so unpredictably that the CISO role has changed and will change in even greater ways than speculation indicates.
A Better Understanding of Today's CISO Responsibilities
Not only should any CISO on your team be ready to contribute to strategic business decisions, but he or she also needs to be ready to become a security leader.
A CISO should contribute to strategic business decisions, but also be a security leader. Click to tweet
Writes Chris Ciabarra, "A CTO or CIO who cares about their customers can never be allowed to learn about security needs from scandals and hacks. It is the role of a CTO or CIO to take a proactive approach to protecting their customers."
In addition, we'd argue, it's now and will remain the role of the CISO to "become the sherpa," as Tim Young of RSG puts it. Young is referring to business strategy and innovation, but we think the role demands even more than that level of leadership.
"A CISO today has the role of educator," says Devi Momot, Twinstate's CEO. (Like Ciabarra, Momot believes it would be unacceptable for a CISO to learn about security failures after the failure; they are in a position which requires them to be first to know.)
"The CISO needs to be an individual who can really effectively articulate what's happening in the environment and what the expectations are, and then garner buy in from stakeholders," she says.
Further, they need to lead both internal and external teams. "They need to have an ability to work with third-party providers while advocating for the organization," says Momot. Sometimes that means having difficult conversations with clients or benefits partners, and a willingness to dismantle relationships for the health of the business.
But not even "articulate, aware and assertive" can accurately describe the individual who should hold the CISO role, or the scope of his or her responsibilities. What else do you need in a CISO, and how will the role continue to develop over time?
"While the CISO needs to be quite knowledgeable, they also need to know that they aren't an expert in everything. They need to listen to other experts in the industry, and use that info to make decisions," says Momot.
No, a CISO won't become an open-sourced position by 2020. But whoever holds the role should be working tirelessly to source information from the most reputable contacts, with an element of humble self-awareness as his or her motivator.
Further, Momot suggests that all current and future CISO's should possess an innate "love of learning, love of change, love of challenge."
"It's required today," Momot says. "This isn't something an individual without those types of qualities can deal with."
However your business chooses to leverage your Chief Information Security Officer, know that the role will continue to evolve into a more strategically focused one — but also one of educational leadership. If you're in the market, look for someone with the qualities to adapt to that challenge.
Originally published on 10/27/2016