The CISO role will either flourish or vanish
Without a doubt, any C-level executive title comes at a personal cost — sleepless nights, countless questions and loads of responsibilities. That said, I believe today’s role of the CISO is accompanied by enormous pressures. Consequently, the way the role is currently structured does not set the CISO, nor the organization, up for success.
In speaking with my peers across the industry, I realize that we’re at a pivotal time for CISOs. Since its creation 20 years ago, the CISO role has evolved and has enormous potential, but it’s one that requires a great deal of support given an ever-evolving threat landscape.
And frankly, I believe that at the rate the industry is changing, the CISO role has the potential to fail, unfortunately. That said, the ship can be righted with a few operational adjustments and by shaking up the way the role is structured, funded and regulated.
Increase the budgetary foundation for the CISO role
CISOs have been facing a more sophisticated threat landscape over the last few years. The World Economic Forum recently reported a 72% increase in data compromises in 2023 over 2022, which had also been a record-high year. CISOs must contend with higher volume and more complex threats, while budgets aren’t scaling at pace, with 2023 budgets, up just 6% from 2022.
To be effective, the CISO’s budget must be significant enough to realistically combat the malicious actors in order to maintain an organizations’ cybersecurity posture. But simply throwing money at a problem isn’t the answer either. Security budgets must be allocated to hiring strong talent and developing a strong tech stack that addresses new and evolving threats. For example, with 93% of malware now hiding behind encrypted traffic, gaining visibility into such activity is the first line of defense, yet many organizations aren’t set up to support that today.
Realign on federal regulations for CISOs
The increasing activity CISOs are combatting has been coupled with added legal liability and federal regulations. With the SEC adjusting its cybersecurity disclosure rules, and some organizations considering implementing eight-hour disclosure policies, it’s clear that these regulations often miss the mark and can set security professionals up for failure rather than enabling them to achieve their intended outcomes. Although more visibility and transparency into breaches can protect impacted users, consumers, employees and other organizations, the regulations are too time-sensitive, putting unnecessary additional pressure on CISOs who are already working around the clock to mitigate cyberthreats.
In many cases with these disclosure regulations, CISOs can be charged for misleading investors and can be legally and financially accountable for breaches. Of course, CISOs should act with integrity and do everything in their power to avoid a breach, but with cases like this, it definitely gives security professionals pause when considering that top spot.
Shake up the reporting structure for CISOs
As the CISO role stands, we are tasked with protecting our organizations from the ever-increasing malicious threat actors with smaller budgets and even more red tape, proving it incredibly difficult to make a great impact. CISOs traditionally report to heads of legal, CIOs, or other technical heads, yet are still often legally culpable for any breach.
In this chain of command, the CISOs have an unfavorable seat at the table, and are often missing a direct line to the CEO. Instead, I believe CISOs should report directly to the CEO and the board. This dotted line connecting the two would provide necessary communication, shared information, budget visibility and oversight. This dynamic relationship, fostered by recurring metric presentations and appropriate budget allocations, would be a surefire way to improve overall performance and efficacy for the CISO position.
The clear path forward for CISOs
Based on the above, if I could wave a magic wand and reconfigure the CISO position, I’d equip CISOs to:
- Have direct budget oversight to properly improve visibility to reduce exposure to threats
- Develop a shared legal and financial responsibility model
- Directly report to the CEO and the board
As a Chief Security Officer, and having dedicated my entire profession to strengthening the cybersecurity industry and my organization’s cybersecurity posture, my focus is to elevate both understanding and support of the role. CISOs perform mission-critical work each and every day in protecting their organizations, stakeholders and consumers from being victim to malicious actors. But I also understand that the work can feel incredibly draining and borderline impossible if we continue on the current course. That said, I believe with the right resources in place, practical regulations and a more productive reporting structure that brings the security perspective to the executive leadership table, the industry would ultimately prosper in its mission to strengthen security.
https://www.securitymagazine.com/blogs/14-security-blog/post/100655-the-ciso-role-will-either-flourish-or-vanish