Defining the Role of a CISO During Digitization
The role of information security is rooted in information technology, the origin of which was catalyzed by the development and adoption of the modern computer. The reason IT, and eventually IS, was held separate was the fact that it was an enablement function. When IT was created, these teams worked with computers the size of conference rooms that needed constant care and attention. The technology evolved, these teams became responsible for ensuring that the rest of the business units had the solutions they needed to make the business run. In the late ‘90s and 2000s, this meant developing hardware architecture and procuring or building various solutions. Security teams were still only starting to evolve during the rapid development of the IT function. For many CEO’s and board members, they had little understanding of these new technologies invading their organization, let alone the risks associated with them. During this time, technology was an enigma, and only the most dedicated students gained an understanding of how they operated. The result was information leaders selling their CEOs and boards on the idea that “this is the future.” As we have seen, these pioneers were correct. What we see now, though, is that the information and more specific information security professionals have primarily operated on the periphery are taking center stage. They were the individuals that the CEO called upon only in a crisis - a breach, a hack - and a symbol to their customers and stakeholders that they are taking information security seriously. The creation of the CISO role was based in reactionary thinking, yet the personalities that were attracted to this position were and are not reactionary. They were the proactive leaders who saw that the future is digital and helped their colleagues and superiors see it too.
Today, the digitization train has left the station - it does not take a master salesperson to convince the board and CEO that organizations need to digitize and fast. While leaders may spout terms like cloud-based technology, design thinking, and agile project management, it is not the traditional business leaders that have been rooted in these technologies and processes for decades. It is the CIO’s and the CISO’s. The information business leaders have been ingrained in the technology that their colleagues are looking to adopt. As Gartner says - “CIO’s may not realize it yet, but enterprise leaders may already expect CIO’s to step up and are getting impatient.”
Digital transformation as a strategic inflection point
Digitization in any form, especially for an organization going through a complete digital transformation, represents an inflection point. The IT leaders are in a unique position as they are the result of compounding time investment in the technologies that CEO’s are looking to implement. We are at a turning point for the role of the CISO.
We are on the precipice of realizing the full potential of the CISO position. Since the CISO position was created, these leaders have been the secret keepers - the person behind the curtain, keeping the company secure while everybody else did their job. The marketing team bought billboards, the sales team made cold calls, the operations team kept it all running, and the IT team kept the computers online and secured. As technology has permeated every aspect of an organization, though, the defined lines between IT began to fade. Now, every organization relies inextricably on various platforms and technologies and the security organization is responsible for keeping it all secure - in all, the changing face of digital risk management.
What this means for CISO’s today is their role has changed. No longer can they stay behind the scenes. The CISO of today and tomorrow must have the passion for technology and security that they have always had. What differentiates them from the pioneers is their ability to articulate their program and progress in a comprehensive way to non-technical stakeholders, solicit buy-in and establish relationships across the organization to keep all business units secure, and above all manage a comprehensive and integrated security program.
Share your knowledge
This shift from technical leader to technical and business leader will not be suited for some. It will require a change in mindset for current CISO’s to view themselves as an integral member of these initiatives as they take place. It is paramount that CISO’s take an active role in any digital transformation initiative, though. It is the IT leaders who derive their professional ancestry from those that got board buy-in to buy million dollar computers the size of storage closets, the managers who have been using agile management before silicon valley scaled it outside of IT, that have the highest command of this knowledge. It is selfish to keep this wealth of knowledge trapped within your team - share it; there are those looking for it.