In this edition of CISO Conversations, SecurityWeek discusses the role of the CISO with two CISOs from the major crowdsourced hacking organizations: Nick McKenzie at Bugcrowd and Chris Evans at HackerOne.
The purpose, as always, is to help aspiring new leaders better understand the complexities of the job based on the careers and experience of existing top tier CISOs.
If you want to be a CISO, you go to well, there's no predefined route, possibly because there is no easily defined profession, and no easily defined role for the CISO. It differs between companies, verticals, and jurisdictions - and it rapidly changes over time.
That's why we explore CISOs' early career paths.
For most current CISOs, cybersecurity either didn't exist as a profession, or was a nascent idea just evolving when they started.
With these attributes, anyone can still become a CISO. The role of the CISO continues to change and is difficult to define.
The position of the CISO in the organizational structure is undergoing a radical realignment.
The security department grew from a desk in the IT department to its own department with its own 'head', the nascent CISO. But the CISO continued to report to the head of IT, the CIO. The importance of cybersecurity has continued to grow, driven by costly breaches and regulatory requirements.
The natural affinity between IT and security remains, but the CISO must now deal with the entire business and not just the company's IT infrastructure.
It also highlights a fundamental question: to whom should the modern CISO report: the CIO, the CTO, the CEO, the CRO, Legal, or the board, etcetera.
In some larger companies, the CISO is just a title for someone owning security policy, with other frontline operational teams undertaking the work.
It highlights a growing tendency to reintegrate IT and security under one position, avoiding the potential complexities of the CISO reporting to the CIO. It's growing, usually with the CISO adding IT to the security remit rather than the opposite, but still depends on the size and type of company concerned.
It is possible that this is an early sign of a new shift in the role of the CISO. The growth of cloud first strategies and remote working is reducing the owned IT estate and therefore reducing the reliance on a full-time CIO. At the same time, the security of both cloud and remote working increases the importance of security.
These continuous changes in the precise nature of the CISO's role highlights additional important attributes for the modern and future security leader: adaptability, a strong background in computer technology, and an understanding of user behaviors.
Most CISOs cut through the issue, by-passing dependency on qualifications and certifications.
Both CISOs have the advantage of global remote working - they can effectively recruit from any country not subject to sanctions, which automatically increases diversity within their teams.
The CISO must ensure the correct level of pay, and an acceptable career path for team members.
Mentoring the security team is an important part of being a CISO. Firstly, it improves team expertise, and secondly it encourages individual career prospects - making a good team stronger and keeping the team together and energized.
We can glimpse CISOs' mentoring stance by looking at the advice they received in their own journey, and the advice they would give now.
While we've discussed the complex aspects of being a CISO, the underlying purpose is simple: to protect the business from cybersecurity threats.
This Cyber News was published on packetstormsecurity.com. Publication date: Tue, 09 Apr 2024 15:28:05 +0000