Evolving role of the CISO

Chief information security officers need to support the CIO and seize new opportunities in digital business. Many CIOs now operate as C-level business executives focused on driving revenue and scaling digital business for their organization. This has put a spotlight on chief information security officers (CISOs).

As the CIO role evolves, so should the role of the CISO

This evolution is likely be ongoing as 95% of CIOs expect threats to increase and impact their organization. They know now that cybersecurity isn’t something to put on the back burner and CISOs should support the new role of the CIO and take advantage of the opportunities it brings.  

The goal is to shift the view of security and risk from a technical problem to a strategic priority. CISOs must apply rigor and perspective to the business orientation, cost, and value of risk management and cybersecurity. CIOs can then help boards and executives better engage in risk-based thinking, improve decision making around risk and security investments and evolve the culture in the treatment of risk.

Gartner recommends six steps CISOs can take;

  1. Develop an executive narrative to reset perspectives on risk and cybersecurity
  2. Formalize the risk and security program
  3. Establish the risk and security business service portfolio and catalog and validate with the rest of the business
  4. Determine standard costs for the risk and security business services
  5. Enable the business units to choose service levels based on the cost-benefit and desire level of risk
  6. Manage risk and security budget as a service of the selected service level and use chargeback or show back to link to the budget to the business benefit

CIOs’ increased focus on business leadership presents CISOs with an opportunity. CISOs can take on additional responsibilities by encouraging their CIO to delegate leadership functions, provided the CISOs have the needed resources.

The new CIO role also challenges CISOs to sharpen the security strategy, so it is closely aligned with the business focus of the CIO. Develop a clear, comprehensive vision and implement metrics relevant to business outcomes.

CISOs should seek out their organization’s digital business teams, commonly found in mature, top-performing organizations. Such teams move quickly, are typically responsible for enterprise transformations and can help CISOs build their future. If such a team doesn’t exist, CISOs should watch to see if one develops

Pay attention to how and why CIOs rebalance technology portfolios as two areas are seemingly impacting CISOs directly and in which CIOs are making large investments: cloud services and cybersecurity. Although ranked lower on the list of key investments, CISOs should also pay close attention to artificial intelligence (AI) and machine learning.