Why CISOs Must Evolve Alongside CIOs

A large number of CIOs now operate as C-level business executives focused on driving revenue and scaling digital business for their organization. This has put a spotlight on chief information security officers (CISOs).

“ As the CIO role evolves, so should the role of the CISO”

“Like it or not, you’re now the digital CISO regardless of title,” Christian Byrnes, managing vice president at Gartner, said at the Gartner Security and Risk Management Summit in National Harbor, MD.

As the CIO role evolves, so should the role of the CISO. This evolution is likely be ongoing as, according to the 2018 Gartner CIO Survey, 95% of CIOs expect threats to increase and impact their organization. “They know now that cybersecurity isn’t something to put on the back burner,” said Byrnes.

In response, Byrnes recommended CISOs support the new role of the CIO and take advantage of the opportunities it brings.  

Treat security like a business

The goal is to shift the view of security and risk from a technical problem to a strategic priority. CISOs must apply rigor and perspective to the business orientation, cost, and value of risk management and cybersecurity. CIOs can then help boards and executives better engage in risk-based thinking, improve decision making around risk and security investments and evolve the culture in the treatment of risk.

Byrnes shared the steps needed to do so:

1. Develop an executive narrative to reset perspectives on risk and cybersecurity
2. Formalize the risk and security program
3. Establish the risk and security business service portfolio and catalog and validate with the rest of the business
4. Determine standard costs for the risk and security business services
5. Enable the business units to choose service levels based on the cost-benefit and desire level of risk
6. Manage risk and security budget as a service of the selected service level and use chargeback or show showback to link to the budget to the business benefit

Be prepared to include non-IT executive risk stakeholders in security governance group and decision-making process. They often have a better grasp of the organization and its needs.

Support the CIO and seize opportunities

CIOs’ increased focus on business leadership presents CISOs with an opportunity. CISOs can take on additional responsibilities by encouraging their CIO to delegate leadership functions, provided the CISOs have the needed resources.

The new CIO role also challenges CISOs to sharpen the security strategy so it is closely aligned with the business focus of the CIO. Develop a clear, comprehensive vision and implement metrics relevant to business outcomes.

CISOs should seek out their organization’s digital business teams, commonly found in mature, top-performing organizations. Such teams move quickly, are typically responsible for enterprise transformations and can help CISOs build their future. If such a team doesn’t exist, CISOs should watch to see if one develops.

Pay attention to how and why CIOs rebalance technology portfolios. The 2018 Gartner CIO Survey revealed two areas that directly impact CISOs and in which CIOs are making large investments: cloud services and cybersecurity. Although ranked lower on the list of key investments, CISOs should also pay close attention to artificial intelligence (AI) and machine learning.

Many organizations have already made significant investments in the tech. However, AI and machine learning will be key as they can be used to offset hiring challenges. When done right, Byrnes said, AI can provide insights CISOs wouldn’t get otherwise. He offered three tips for those looking to implement AI:

1.   Ignore hype
2.   Start small
3.   Be strategic  

“It’s time to develop expertise in AI,” advised Byrnes. “It will benefit you over the next five years.”