Chief information security officers (CISOs) are under fire. According to Bloomberg BNA, both CISOs and chief information officers (CIOs) are now at risk of being named in post-breach lawsuits because these executives, "by dint of their role and purported experience, assume a fiduciary duty to the shareholders."
In response, both the ideal candidates and CISO job descriptions are changing; a recent Forrester report, entitled "Evolve to Become the 2018 CISO or Face Extinction," predicts a 180-degree flip in priorities by 2018. But how do security leaders handle this about-face?
According to Government Technology, experience alone isn't enough to handle the CISO's changing role. Mike Wyatt, a managing director at Deloitte Advisory, describes the role as "moving from an IT security to really a C-suite executive that's engaging and really managing of enterprise risks." What's more, the new breed of CISO must also move away from a purely tech-defined role to gather input from staff, articulate funding needs and effectively become a public figure — something that lies well outside the box for traditional CISOs.
Security threats are also evolving. Phishing emails — once easy to spot in the wild — are becoming more complex. Gone are the days of bad grammar and poor spelling, replaced with legitimate-seeming offers or urgent warnings. The burgeoning Internet of Things (IoT) makes this even more complicated; CISO Tim Callahan of Aflac Insurance told Government Technology that he's now seen a smart refrigerator launch an attack on a bank's secure network. Bottom line? New security leaders are required to effectively navigate evolving landscapes.
How do potential candidates become the CISOs of tomorrow? And how do existing security officers make sure they're ready for the task ahead? According to Forrester, it all comes down to priorities. In 2013, for example, the top CISO priority was preparing organizations to handle security threats. This was closely followed by threat detection, IT oversight, event response and the ability to liaise with other C-suite executives and stakeholders at large. In 2018, meanwhile, the research firm predicts a very different order. Preparation falls to the bottom of the list, response stays the same, and detection and oversight switch positions. And at the top? The ability to effectively liaise.
Here's what's happening: No longer considered a purely technical role, CISOs are now seen as part of critical business infrastructure — not merely a cost center but a way to improve the bottom line, and they're potentially liable if the bottom falls out. As a result, the ability to prepare for, respond to and oversee the management of security events is quickly being sidelined in favor of more recognizable executive qualities: articulation, interaction and expectation. Hitting this mark, however, requires a shift in priorities.
Security leaders face challenges both within and without; malware continues to evolve, now leveraging both mobile devices and the IoT as attack vectors, while other executives and stakeholders push for new CISO responsibilities. For security officers, moving forward requires an about-face — a new direction instead of possible extinction.
To dig deeper, download the Forrester report in its entirety here.
Photo Source: Flickr