The job of a chief information security officer (CISO) is a complicated one, combining protecting data and strategic planning. It is only getting more complicated as cyber threats evolve, and high-profile breaches condemn organisations to public embarrassment if not a financial disaster.
So complicated in fact, that according to Deloitte's CISO Transition Lab, a single CISO must now wear four separate faces: technologist, guardian, advisor, and strategist.
Each offers its own distinct set of challenges that must be answered individually to make the position a success, while simultaneously ensuring that none of them is neglected.
The traditional roles of managing security and protecting company data represented respectively in the roles of technologist and guardian, have been the preserve of the CISO since the inception of the job.
The early CISOs were occupied by technical solutions that were at the time solely the preserve of the IT department. The Deloitte Review describes the technologist face as guiding "the design, development, and deployment of secure technical architectures, installing security standards and implementing innovative countermeasures." It covers the choice and management of the platforms, policies and services that protect the company from threats both today and tomorrow.
The guardian meanwhile monitors the systems that preserve security ensuring they function fully and adhere to regulatory requirements, and that any company data is secure.
As the use of technology spread throughout the organisation, the security threat grew and became a more complicated problem. The role of CISO has changed immensely as the quantity and importance of data has exploded, while at the same time security threats have grown in sophistication.
Technical solutions now overlap with risk-management and encompass every aspect of the business. The CISO is the individual primarily responsible for this, and thus takes on the two additional roles described by Deloitte, those of strategist and advisor.
The former, says Deloitte, is "the chief value architect for all cyber risk investments". It requires the CISO to work closely with company executives to ensure security and business needs are aligned. The CISO therefore becomes a businessperson as well as a security specialist. He or she must develop a deep understanding of the company’s business operations to provide advice that provides security that fits with the organisation’s budget, culture and priorities.
The final face of advisor is one that "helps identify cyber risks that arise as the business advances new strategies." This expands on the business knowledge required in the role of strategist, adding the necessary communication skills to keep all the relevant stakeholders informed of threats while developing a deep understanding of their own priorities as they develop.
Many CISOs still focus on the two traditional roles, as they’re the most familiar and generally closest to their skills and training. According to Deloitte, they spend 77 percent of their time on average as technologists and guardians and the associated technical aspects of their position.
That doesn’t mean they can’t adapt to incorporate the two additional faces in the framework. Developing the business knowledge and communication skills can add great value to their strategic advice, and bridge the gap between cybersecurity and daily operations in the enterprise.
That isn't to say that it's easy. The role of CISO remains fairly new, and the exact responsibilities aren’t always obvious. As they grow, the forward-thinking CISO should be looking more closely at the varied risks to the business, and not just the function of technology.
To open the boardroom door and gain the necessary collaboration with C-level executives, a CISO needs to think as they do and understand their goals and their company's culture to balance risk and reward in an effective security policy. Only then will they be successful in the four faces of their job.