The role of chief information security officer has expanded in the past decade thanks to rapid digital transformation.
Now CISOs have to be far more business-oriented, wear many more hats, and communicate effectively with board members, employees, and customers alike, or else risk serious security failures.
In a wide-ranging press Q&A at CPX 2024 in Las Vegas, a panel of CISOs and vice presidents of international organizations conferred on how digital transformation, bottom line pressures, and lack of security awareness have forced a shift in the nature of their positions-broadly, from being technical to businesslike, and highly social.
Today, they suggested, the difference between an effective CISO - and, by extension, an effective security culture at an organization - is as much about softer communication skills as it is mitigating vulnerabilities and defining policies.
Security leaders who thrive with the latter but lack in the former end up exposing their organizations to major breaches.
Years ago, the position was created with the relatively narrow cyber risk focus that it's still associated with today.
Thanks firstly to a broadening of the corporate attack surface.
Typical breaches used to require vulnerabilities in corporate resources - think Target, Ashley Madison, and the like.
Nowadays, particularly since COVID, it's employees' emails, phones, and other devices that instead represent the greatest risk to organizations.
As the responsibility of information security has become a collective one, CISOs have been forced out of their silos.
The increasingly business-facing responsibilities of the CISO were reflected in an IDC survey revealed at CPX. Of 847 cybersecurity leaders polled, 10% believe that the most important job of a CISO is leadership and team-building skills, and 8% believe it's business management skills.
Actual cybersecurity awareness and understanding, and IT architecture and engineering skills, received hardly more votes at 12% apiece.
How CISOs Can Do Better by Employees It's not merely that CISOs should double as businesspeople - they need to.
The subtlety in Creed's argument - echoed by others at the roundtable - is important.
Preventing security lapses by employees is not simply a matter of spreading awareness, they emphasize, because even knowledgeable employees ignore security when their relationship with their security team isn't healthy, or when hygiene is simply too effortful.
If talking to employees and making security easier for them isn't enough, CISOs can also experiment with alternative incentives.
In its survey, IDC asked CISOs and their fellow CIOs what CISOs actually do - like, whether they're focused on strategic architecture, or whether the job is tactical by nature - and found not insignificant discrepancies in the responses, indicating that even the CISOs' closest C-level partners aren't totally on the same page.
This Cyber News was published on www.darkreading.com. Publication date: Mon, 11 Mar 2024 21:40:22 +0000