June 24, 2019
June 24, 2019
No C-level role has evolved as quickly and radically as chief information security officer (CISO). The CISO role first sprang from the ground-breaking “mega breaches” of the early 2000s, when it became apparent that cybersecurity issues could have serious business ramifications. Back then, the role was largely technical in nature (they would put up a technology perimeter to stop breaches from happening) and, really, it was C-level in name only—most CISOs reported to chief information officers and did not have a direct line to the CEO like other C-level executives.
The early days of CISO evolution also had a dark chapter. As the breach epidemic picked up steam, so did the scapegoat status of CISOs, who often found themselves in career jeopardy following publicly disclosed data breaches. Life in those days was difficult for CISOs. There was still a general belief in boardrooms that breaches could be prevented with some degree of certainty, so CISOs were tasked with an impossible job: preventing the unpreventable.
That perception is changing today. I would venture to guess that no CEOs or board members in the Fortune 500 believe data breaches are 100 percent preventable. Those same enlightened executives and directors want to understand if the company is prepared to effectively respond to a major security incident. After all, if breaches are not completely preventable, then breach-response preparedness becomes the most effective tool for managing business risk associated with data breaches, which can include operational disruption, litigation, regulatory fines, customer attrition, and loss of intellectual property.
Cybersecurity has become similar to the electric grid. Utilities can do their best to reduce the likelihood of blackouts, but violent storms will still cause power outages. Therefore, the measure of competence for an electric utility is not so much its ability to withstand violent storms without blackouts. Rather, the company’s success is measured by how effectively it minimizes impact and how quickly it can bring power back online after the storm. Likewise, the measure of competence for a CISO is not so much their capacity to prevent every conceivable breach, but whether or not they have a codified, rehearsed, and company-wide incident-response plan in place that can contain the incident and minimize the damage caused by a data breach.
Which brings us back to the evolving role of the CISO.
From those early days of being technical people and easy scapegoats, today’s top CISOs have a much broader role within business. That broader role requires a fuller skillset. They still need to understand the strategy and technology of cybersecurity, not to mention IT in general, but they also need to have the management acumen to make strategic investment decisions and to effectively deploy staff and third parties. They also need to have the vocabulary to translate security program objectives into business terms for the board of directors.
And, most importantly, they need to be able to instill confidence in the board that they know how to prepare the company to respond to a data breach, because breach-response effectiveness can mean the difference between a “blip” of bad publicity and an ongoing morass of litigation, regulatory fines, and customer loss. It is for this reason that what was once the career “kiss of death” for a CISO—being in charge when a data breach occurred—is now a resume builder. Boards rightfully want to ensure that the CISO knows how to “land the plane” following a breach, so what better experience could there be than to have already managed a breach-recovery situation—particularly when the outcome was as favorable as possible?
It’s been a wildly complicated ride for CISOs. Moving from “tech jockey” to strategic business executive in little more than a decade is not an easy shift. There is still a long way to go, as many CISOs are still viewed as technical hands by senior management and directors, but the trends are clear: more and more CISOs are getting a seat at the boardroom table. And with savvy boards of directors, breach experience gets CISOs invited into the boardroom, not thrown out of it. That’s a change for the better.
Mark Adams is the senior practice director of risk transformation at Optiv.