The New Role of the CISO: Defining What it Means to Run Security Today
Security has long been a major concern among consumers, and IT technology security in particular has been challenged by many—even in the early days of IT. With the rapid evolution of IT came not only the immense growth of efficiencies for businesses, but also many complexities.
To establish risk transparency, the Three Lines of Defense model was introduced in the 1990s as a control framework. In line with this model, companies have traditionally split the responsibility for security risks into several roles:
- The Chief Information Security Officer (CISO), whose responsibility was IT security, was positioned in the First LOD and reported to the Chief Information Officer (CIO); operational managers handled IT production, including help desk support and data supervision
- The Chief Security Officer (CSO), whose responsibility was security of the facility (such as protection against flood or fire), was the Second LOD and reported to the Chief Compliance Officer (CCO) or Risk Manager; the company’s overall risks as a control of operational activities were in the Second LOD
- An External Auditor, whose responsibility was to take an independent review of a company’s efficiency and the consistency of its controls, was the Third LOD
However, times have changed since the Three Lines of Defense model first entered the market—information processed by the IT organization has reached business-critical priority, while facility security processes have decreased due to the outsourcing or automation. With isolated technical protection measures and a restricted security budget from the CIO, the traditional split of responsibility has proved to be incapable of managing IT security risk properly.
To effectively address and control emerging security threats on a global scale today, companies need to take a new approach to their organizational structure. Without making the proper changes and proactively arming against future security threats, companies not only risk data breeches, data misuse and cyberattacks, but also consumer trust.
Transitioning from Defensive-Reactive to Proactive
As stated by Paddy McGuinness, former Deputy National Security Adviser for Intelligence, Security and Resilience in the UK Cabinet Office, “Your organization of CISOs gets to define what it means to run a new mission-critical function in an organization.” The first step to accomplishing this is communicating what the new role of the CISO should look like to the management board and getting buy-in from the appropriate decision-makers. The CISO’s role must expand beyond configuring local firewalls, for example, and move to the Second LOD. Furthermore, CISOs must broaden their responsibilities to cover cyber threats and outsourced IT services, including both public and private cloud environments. Doing so will enable the CISO to transition into an organization-wide management role where they have four primary responsibilities, including:
- Oversee security controls and measures
- Coordinate the implementation of controls and measures, as well as coordinate with the CIO in the first line of defense
- Identify security risks with the risk manager/CCO
- Escalate security issues to the board
These global responsibilities enable the CISO to not only manage enterprise security, but also initiate activities that are aligned with future strategic development. The defensive-reactive role of implementing security measures must change into a proactive one, taking future, global solutions into consideration, such as:
- Integrating security measures throughout the entire IT environment, including end users, using automated security information and event management (SIEM) mechanisms
- Implementing algorithms, artificial intelligence (AI) and big data analytics to produce security risk predictions
- Developing real-time data flow scans to continuously monitor data traffic for unusual activity that might be a security threat
As shown above, the CISO is not just responsible for transforming at a technology level—the CISO must also focus on handling security like a business. Ultimately, the CISO should be responsible for formalizing all security risks and measures within the entire company.
Together, the CISO & the Board will Redeem Organizational Security Measures
While the role of the CISO must evolve to enact more comprehensive security risk measures within the business, the board management team will also need to become actively involved in IT security, in the same manner as they traditionally do on finance, legal or HR. The growing gap of understanding security risks caused by new IT threats has to be minimized from the top-down. Several new standards and frameworks around cloud and cybersecurity risks, including NIST, COBIT 2019 and BSI (Bundesamt für Informatik, Germany), have caused company boards to establish internal control bodies to manage rules.
The CISO plays a central role in managing the implementation of security controls and governing the entire IT security environment, but the accountability for enacting a comprehensive security risk program falls at the board level. In fact, the board’s responsibility related to security has been formally specified in corporate standards for a long time. For example, the board should be able to respond to an auditor’s questions around a mitigation plan for the top 10 cyber security risks.
Together, the new role of the CISO and the board’s involvement will ensure redeemed security measures within a company.