A recent conversation in LinkedIn was suggesting that the role of the CISO needs to be recreated since the role has evolved and the magnitude of the changes means that expectations of the CISO are hampered by the legacy of the past.
I do not necessarily agree with the idea that the CISO (Chief Information Security Officer) needs to be redefined.
The role and mission of a CISO have not changed. We are responsible for the IT services that protect our organization. The scope of our responsibilities may sometimes include areas such as disaster recovery, but fundamentally, our role has remained the same for a long time. However, as organizations have realized that cybersecurity is more than just a protective stance, the scope of our role has grown.
The theme of the article revolves around reporting at the appropriate level within an organization. While this has been a topic of discussion over the years, it is not always critical to our success. As I have learned and counseled many CISOs, a significant part of our role as leaders is to market the value of the IT security program to other parts of the organization. We must recognize our value and sell the concept. IT security has become more closely aligned and integrated with business strategy, and when we demonstrate value, we are given more responsibilities to further improve the organization’s security posture. We need to remember that we are advisors to the business (sometimes they will accept the risk, but it is our job to raise up the issue of a potential risk). With that mindset, we step into a different type of conversation.
The business must recognize the value of our programs and personnel.
I have encountered IT security programs where the team was siloed, misunderstood, and even regarded as a burden. It was necessary for me to help individuals and teams understand the ways in which we provide value. This required careful change management, as well as credibility-building and marketing/selling skills. I recall changing the model of the security assessors to not only find problems but also help find solutions. This change was implemented with executives, teams inside the organization, and within the IT security team itself.
As I have told many, 70% of a CISO’s job is marketing when you start a new role.