The Vectra Masked CISO series gives security leaders a place to expose the biggest issues in security and advise peers on how to overcome them.
Cyber security is a fledgeling compared to industries like risk management—Lloyd’s insurance was founded in 1688! The CISO title is even younger, first appearing around 2005. But the role has still never been clearly defined, and every CISO is working differently.
Defining the role isn’t easy when the person hiring the CISO can be wildly different. CISOs report to CEOs, CIOs, CTOs and more, and the skills needed depend on the nature of the business and who they report to. CIOs and CTOs want a technical advisor, while CROs tend to address problems from a risk management perspective. CEOs just want the world—yesterday.
It comes as no surprise that CISOs are typically under a lot of pressure, and this leads to regular rotation of roles, and attrition within security departments. However, this could be stopped if CISOs were given more autonomy and responsibility.
Reporting lines do not dictate power or the value of a role, but when most CISOs are still reporting to a technical leader—this limits the ability to be strategic and dilutes value. For the CISO role to be on a par with other technical leaders, we need the ability to challenge CIOs and CTOs, to ensure security isn’t bullied into accepting risk to meet the demands of agile IT projects. The way CISO roles are typically arranged today, we’d be fortunate to be in a situation where collaboration exists. And when it’s not—we are forced to accept mounting risk without the tools to address it.
CISOs expand your skillset and gain influence
If a CISO is lucky enough to hire their own replacement—we’d create the job description, and naturally the ideal successor would tend to have a similar skillset… leaning on the technical side. While it’s essential to understand what security teams are doing, to grow the CISO’s influence—developing soft skills are essential, like stakeholder communication, business acumen and strategic planning. If not, we’ll be stuck in the SOC and kept out of the boardroom for another 20 years.
For CISOs looking to have the most influence in their organisation, look for the following:
- A role requiring oversight into technical tasks without executing them—I’ve seen CISOs involved in incident management due to incorrect expectations. This is not a healthy position for an executive.
- Understand where security fits in the business strategy—is it an essential part of the business model, or will the role be largely technical? Will you be too busy putting out fires to drive change?
- Look at the current process chain for security and ask about maturity—does the company follow defined processes and policies, does it have a mature incident response plan? This will give you a good picture of where you’ll be spending your time.
- Ensure you have purchasing control—you can’t solve the skills gap by throwing multiple products at an overstretched team.
Successful CISOs must be able to update security controls, swapping old tools for solutions that reduce manual effort and prioritize actions, like AI detection and response.
This blog was first published in The Register.