What skills do chief information security officers (CISOs) need to succeed? At first glance the answer seems obvious — the job title suggests a focus on safeguarding data and ensuring that corporate networks are kept safe from malicious attackers. But as noted by a new Forrester report, "Evolve To Become the 2018 CISO or Face Extinction," there's significant change going on behind closed doors as companies and C-suites come to grips with the fact that the role of the CISO is shifting away from one of pure technology to one that also provides business value. What does this mean for the skill set of up-and-coming executives?
According to IT World Canada, CISOs are "under siege" thanks to headlines about high-profile data breaches, often from within their own organizations. As a result, they are under increasing pressure to improve the tech-savvy of their staff and protect the company from malicious insiders.
Many CISOs make the mistake of focusing on compliance and regulations as a way to fully defend networks, despite the fact that 100 percent protection is an impossibility. Under pressure from the C-suite and IT pros alike, these executives often miss the more effective route of integrating security into business operations on the ground floor, in turn adding value to each step of the process instead of tacking on security controls right before an app is ready to ship or a new service is ready to roll out.
This focus on reactive technology is no surprise — a recent Deloitte study found CISOs spend over three-quarters of their time acting as both technologists and guardians, leaving little room for role-based innovation.
The Forrester study, meanwhile, suggests that over the next three years the expectations placed on CISOs will change significantly and that many aspiring executives may even be able to create their own roles. The primary goal of this new CISO? Providing business value by "extending their interests in domains that matter to business and consumer customers, such as privacy and compliance."
What's more, companies are now trending away from the need for "techno-machismo," which focuses on the technical expertise required by CISOs above all else, essentially tying the identity of the role to its core subject matter. But the changing nature of the boardroom demands a new kind of executive, one who isn't simply a siloed version of their key focus but instead a team player who looks to add long-term business value wherever possible. For example, instead of focusing on the development of secure content systems, a forward-thinking CISO could develop ways for companies and consumers to share information without compromising its integrity, or find new avenues for customers to interact with corporations without exposing networks to undue risk.
Simply put, the new CISO must cultivate relationships in addition to compute resources, and court stakeholders along with patching security holes. With IT increasingly viewed as a line-of-business asset rather than necessary write-off, CISOs are being challenged to change what they bring to the table; in addition to solid metrics and threat predictions are expectations of long-term ROI and short-term value adds.
Next-gen CISOs aren't just great with technology and savvy when it comes to network security — they're also top-notch communicators prepared to deliver business value with every IT line item they champion.
Want to tackle 2018 head on? Learn more about the changing role of CISOs in Forrester's reporthere.
Photo Source: Flickr