CISO: The C-Level executive missing from your board

by Magda Chelley, Ph.D., CISSP

A CISO or a Chief Information Security Officer is a role that has been seeing an increasing demand in the latest years. With rising cyber threats and emerging related risks, CISOs have been gaining fame and are at the top of job listings.

When I started my career many years ago in France, the demand for information security was almost inexistent. Companies were focusing on IT transformations, CRMs, and digitalization. Their priorities were gaining revenues through new innovative business models. What has changed since? Not much around business objectives but quite a lot around business strategies. In fact, 85% of consumers will not do business with a company if they have doubts about its security and privacy practices as per the PwC report in September 2017.

The numbers

We are living in a world where technology evolves at a terrific pace, leaving behind new and unknown risks for businesses. The recent data breaches and hacks are breaking the news every day, and big brands have not been left behind. Thus, businesses need to take some practical and efficient steps. One main step was and is to build a cybersecurity ‘’department’’ or team. In fact, many listed companies do not have yet a CISO, who would be the leader to undertake the task. CIO Magazine not surprisingly stated that less than 50% of companies have a CSO (Chief Security Officer) or a CISO, in 2016. CISOs enjoyed a substantial increase in 2017: 65% of companies have CISOs, as per ISACA’s 2017 State of Cyber Security Study. However, the report was targeting a global population of cyber security professionals who hold ISACA’s Certified Information Security Manager® (CISM®) and/or Cybersecurity Nexus Practitioner™ (CSX Practitioner™) designations, and individuals in information security positions. Those numbers, thus in my opinion are more positive than the wider reality.

In Singapore, the number of CISOs on LinkedIn shows only 323 results, with 56 results for job openings as per March, 3rd 2019.  This result is not, by far, an absolute number, however, it gives certainly an idea of the demand that is arising currently in this market, with approximately 219,000 Small and Medium Enterprises, representing 99% of all its enterprises.

The reporting

In many large organizations, the CISO role has been an important/top priority. However, that does not imply a general understanding of the role and its key aspects. Attention has been still and mainly focused on the CIOs and the CTOs, I guess due to historical reasons, as well. So where do we find the CISO’s role fitting the best?

I have personally addressed this topic during one of my talks in Singapore, and I believe there is a lot of maturities required within the companies to reach the most efficient balance and organization. In my case, when I started my CISO journey in Singapore, I have been reporting to the CIO or Chief Information Officer. The situation evolved in my roles, where I have been afterward directly assigned to a CISO office, and the global CISO would have an important role within the executive ladder. However, in main cases, I have seen CISOs “refused” direct interactions with the board or the business or else given a 5mn slot at any board meeting. As per the Governance of cybersecurity: 2015 report, Georgia Tech Information Security Center,

October 2, 2015, 22 percent of respondents work in an organization where the CISO reports directly to the CEO, while 40 percent still report to the CIO. Those numbers are slowly evolving; however, the change is still not the norm.

In my opinion, the main challenge was and is definitely communication. Let’s take an example of a traditional cyber security professional journey – Bachelor’s degree in computer science, information technology, cybersecurity or a related field, programmer, security professional or analyst, then engineer or security consultant, then security manager or auditor, and finally CISO, while the CIO journey has been totally different with a focus on the leadership experience, through project management, risk management, etc. How can today’s aspiring security leaders make their path into the executive ladders and get CEOs’ attention?

CISOs, especially in their early career tend to focus on technical issues and “vulnerabilities.” This makes them often far away from business reality and priorities. By comparison, the CIO will have much more interaction with the operations of the business or its finances. The CIO will have an overview not only on finances but as well on a budget, governance, and compliance.

Throughout my career, an important vocational changing factor was that I had owned businesses, was in business related roles and got a lot of ‘’live my life’’ experience. Owning a business that is not related to cyber security, allows you as an individual to take things in perspective, and address cyber security and privacy with a different angle. It also does help understand risks and liabilities. It improves business communications and aligns with other stakeholders from different backgrounds.

The Changing CISO Role

With CISOs focusing and working more transversally across all core corporate departments, the role definition is evolving as well. In today’s world, where we are facing a tsunami of technologies and where companies exist and are providing services with no products, the technology-related risk is a key risk to address, and of course, that undeniably means cyber risk.

Historically, cyber security was considered as an IT job. Today, companies are aiming to build resilience and cyber readiness, implementing cyber best practices at all business stages. The business question now is: “Tell me how can I assure my clients that we are securing their data properly?”
A good CISO will be able to define and explain the role and responsibility limitations, as well as report the cyber risks in a business-oriented manner. An important consideration here is typically the risk ownership that often is misunderstood and assigned to the CISO office, while it is the business ownership, and will always remain as such. The CISO becomes the interpreter of new arising cyber risks to business leadership.

The CISO role is evolving into a strong leadership role, requiring communication, leadership, and mentorship skills.

The takeaways

The importance of building cyber resilience and readiness with an awareness culture is a key success factor, including a clear risk ownership overview and alignment.

CISOs with the ability to address topics without a focus on technical issues will gain more respect and credibility from the business, with a possible seat on the boardroom. Practical advice and takeaway would be for aspiring CISOs, get yourself in “a day in the life of” scenario. Learn from it and look at your world through a different angle, the business angle.

Magda Lilia Chelly is a CISO On Demand. She reviews technical architectures, cloud migrations, and digital transformations. She has a PhD and a CISSP. Magda with her expertise, and technical background provides a 360 degrees cyber security support for companies; from governance to incident management, she coordinates and builds resilient businesses. Magda’ latest two projected covered the roles of a Regional ISO Lead Implementer for a Fortune 500 (ISO 27001:2013) and a business information security officer role for a MAS regulated Fortune 500 company covering 13 countries in Asia Pacific. Those projects gave her all the required expertise around regional and global cyber security requirements.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.