Founder & CEO, Corix Partners | Author “The Cybersecurity Leadership Handbook for the CISO and the CEO” | Board Advisor | Non-Exec Director
In many large organizations, I’m noticing that defining and structuring a chief security officer role (CSO) is starting to make more and more sense. The concept is not new and has generally been used to encompass all security aspects a firm may be faced with—physical and digital.
I believe it is time to look at it under a broader angle in many large companies. Broadly speaking, the role of the CISO (chief information security officer) has failed to drive change and build sufficient momentum around cybersecurity issues over the last two decades.
This is likely driven by an excessive technological focus, which has imprisoned the CISOs in technical firefighting and prevented them from adequately reaching across the business and developing sufficient management and political acumen.
Today, as the penny is dropping across boardrooms, and the “when-not-if” paradigm dominates around cyberattacks, I’m seeing the execution of protective measures become paramount, over and above risk appetite or compliance considerations.
Increasingly, it seems many CISOs are feeling trapped in an impossible role where it is expected of them to be audible and credible across the depth and breadth of the enterprise, from boards and regulators, to pen testers and developers. This is something I’ve seen myself in the field as a CEO and board advisor all too often.
I believe that no profile can reach effectively across a spectrum of skills that wide, and it starts to make sense to evolve the role by separating the components it has been accumulating over the years.
This is made all the more important by the increasing regulatory and reporting pressure, which has been mounting steadily for all businesses over the past decade across all industry sectors: It started around data privacy with the GDPR in Europe and many equivalent state regulations in the U.S. Reporting demands are now developing at the federal level, and governance aspects are also coming under increased scrutiny.
This regulatory intervention is simply the result of devastating cyberattacks that have threatened or impacted key infrastructure components and brought under broad daylight the extent of the disruption those types of events can cause.
As a result, senior executives have started to look beyond traditional business continuity approaches, to pay more and more attention to resilience concepts. All those aspects (cybersecurity, regulatory compliance, resilience) have one major component in common: They are cross-functional and require a reach across corporate silos to be effective and efficient.
I would add that, on those three fronts, the risk dimension is increasingly becoming obsolete. This is no longer about events that may or may not happen, but simply a business reality that has to be factored in the way the firm operates.
These factors are building momentum behind a redefined role for the CSO, or chief security officer, encompassing oversight of physical and cybersecurity, but also data privacy, operational resilience and their associated compliance and regulatory reporting obligations. I believe a role of this magnitude in most firms would make sense and function from the top of the firm as part of the most senior business leadership team.
If seen as a senior management role, it can focus on building the necessary cross-functional channels, ensuring they remain active and bridging across business and political issues by bringing sufficient gravitas and credibility around the matters involved.
In my opinion, we are miles away from the current role of most CISOs (our starting point), but it does not make their job any less relevant. To the contrary, it offers an opportunity to refocus the role of the CISO on its native technical content and give it a renewed currency by stripping off the corporate layers added over the years, for which its holders—most of them technologists by trade or background—might have been poorly prepared.
A dual reporting line to both the CSO and the CIO (chief information officer) would then make sense for the CISO and ensure a degree of independent oversight in industries where those aspects around separation of duties are scrutinized. This type of model is essential in my view to drive large-scale programs, where cybersecurity maturity is low and urgent transformation is required across the cybersecurity practices of an organization.
Finding The Right Candidate To Be Your CSO
The combination of the top-down and cross-functional influence of the CSO with the technical reach of the CISO should be key to creating and maintaining the momentum required to deliver change and break business resistance where it happens.
In my experience, firms looking to implement this type of CSO position should start looking internally for the right executive: Ultimately the role is all about trust, and your candidate should have intimate knowledge of how to navigate the internal workings of the organization. I would recommend looking for someone that is an ambitious leader—not someone at an end-of-career position. Additionally, consider assigning this role to a seasoned executive. Someone you believe is motivated overall by the protection of the business from active threats, able to take an elevated long-term view where required, over and above the short-term fluctuations of any business. Demonstrating leadership in a field as complex should be seen as an opportunity to showcase skills that can be applied elsewhere in the organization.
And finally, be sure to avoid appointing another technologist in the role: The profile of the CSO needs to be a business profile so that cybersecurity can be finally embedded in a broader business concept.
Forbes Business Council is the foremost growth and networking organization for business owners and leaders. Do I qualify?
Read the full article here