When it comes to cybersecurity governance and management, there is no “one size fits all” approach.
Today’s CISOs have a much wider range of responsibilities than their predecessors as IT security officers.
The role of the CISO is no longer purely technical, focused on the protection of equipment and terminals and on operations within the organizational perimeter. Today’s CISO is likely to be involved in software security, cloud applications, security awareness, and user training.
The reporting lines are also different. While some CISOs still report to the CIO or even the CIO, they are just as likely to have their own seat on the board. This represents a larger change in attitudes towards information and cybersecurity. Cyber attacks pose an existential threat to organizations. A response at the Council level is not only appropriate; it’s essential.
The growing role of the CISO
But the updating of cybersecurity governance must also go hand in hand with the evolution of the organization’s risk approach. Cyber threats are no longer something that can be avoided. To some extent, they represent a cost of doing business.
There is a lot of commentary on the need for organizations to understand their attitudes towards risk. Cyber risk is no exception. Part, if not all, of this responsibility will rest with the CISO. They must analyze the risks, propose mitigation measures and present the results to the board of directors.
In addition to monitoring new and changing threats, CISOs must stay one step ahead of technological developments.
These include cloud technology, artificial intelligence and machine learning, as well as the use of advanced analytics and sensors. Some of these developments are security specific and are the key to providing a faster response to the most damaging attacks. Others are motivated by the needs of the company at large to improve its agility, flexibility and responsiveness to customers.
Add to this the need to keep up with changing regulatory requirements, tighter compliance enforcement, new working models and lower tolerance for downtime, and it’s clear that a single CISO is gone. a viable solution.
A new structure: a CISO office
These growing responsibilities are prompting forward-thinking organizations to review the organization of the CISO role. In larger companies, there is a strong case for appointing multiple CISOs in a way that covers business units, geographies, or specific areas such as operational technology or software development.
So, should organizations try new models for the CISO role? It is increasingly clear that a one-size-fits-all approach will not work. And it’s equally clear that a single CISO will struggle to manage all aspects of cybersecurity and risk in a business.
One idea that is gaining traction is the “RSSI office”, or a structure with several RSSIs. This could emerge around a “super CISO” with overall responsibility for security and risk, heading individual CISOs or security managers for business units or geographies. Another version might see safety officers aligned by function, with an RSSI for manufacturing, for supply chain, and for the CTO office, for example.
Bringing security together in this way should also help the organization adapt to other changes in risk and security. Physical and IT security – or more exactly data – are already converging. And effective cybersecurity increasingly depends on well-trained and knowledgeable people. The CISO department is as likely to be involved in security awareness and education as it is in technical measures such as firewalls or threat detection.
The creation of a security chief or an CISO office integrates these disciplines and skills. This should make the security function more responsive and adaptable but also more resilient. Workloads are distributed over a team rather than a single person, and a team approach allows for a certain degree of specialization. The Head of Global Security will then report to the Board of Directors.
And it also lays the foundation for the future development of the security role. In large organizations such as the financial industry or government, it is already common to have 1,000 or more employees working in a security role. This will only grow as the CISO office assumes responsibility for physical security, crisis management and business continuity.
However it is organized, it is clear that the position of the CISO is now closer to the boardroom than to the basement.
About the Author: Stephen pritchard is a video journalist, host and writer. He works as a freelance producer, presenter and moderator, and writes news, analysis and feature articles for the international and UK press, trade media and magazines. Stephen’s primary fields include technology, telecommunications, security, science, and management. He is editor and columnist for IT Pro and Infosecurity Magazine. Stephen also writes for a number of newspapers, including the Financial Times, the Guardian and the Sunday Times.
Editor’s Note: The views expressed in this guest author’s article are solely those of the contributor and do not necessarily reflect those of Tripwire, Inc.
More from Stephen Pritchard
The new “attack surface” – Securing the business beyond conventional borders