CISOs have long taken responsibility of information security for both physical and digital assets. But now with the relentless pace of technological and digital transformation, and with the equally fast adoption of it by the corporate world, cybersecurity has become immensely complex. The job of the CISO has become unenviable and indeed a risky position, for it carries a task of surmounting majorly unknown and uncontrollable factors.
Despite all of these things, CISOs the world over have generally maintained a great reputation for being a thorough professional and a trustworthy partner to executive management. CISOs have evolved through every cyberattack and learned and adapted to become more resilient and wiser, embracing more prudent practices as a matter of continuous improvement.
Now, what is the plan for future? When this question was discussed recently with industry leaders and a cross-section of CISOs and CEOs, the following points were shortlisted to be pursued or to be refined further:
- Enterprise IT Governance and Cybersecurity
CISOs should be subject matter experts in both areas collectively and should be able to present the emerging threats and the countermeasures adopted, as well as ROI metrics on cybersecurity initiatives, in simple terms to executive management and the board of directors. With the amount of technological transformation happening, CISOs are expected to advise the management on value delivery, strategic alignment, performance, and resource and risk management metrics. - Strategic Management and Vision
With technology being a great enabler for various new business initiatives, and innovation and cybersecurity being one of the very important factors to earn the trust and goodwill in the marketplace, CISOs should be able to translate the business strategy into implementable IT strategy and to play an important role in delivery of cyber-safe products and services. - Compliance with Global laws
CISOs need to be on constant watch for various international regulations, such as NYDFS, CCPA, GDPR and FedRAMP. India recently released the Digital Personal Data Protection Bill, with the provisions coming into force anytime by the notification from the central government. - Continuous and Ongoing Learning
This cannot be overemphasized, as it is an integral task for every professional in cybersecurity. CISOs need to acquire deep domain knowledge, a mastery of skills related to evolving technology and various associated fields, such as forensic science and cybersecurity laws. - Chief Knowledge Officer
CISOs need to continuously update themselves on good practices of cybersecurity and evolving threats and then educate others in simple terms, demystifying the complexity and fear surrounding their fields. - CISO and Agility
Many successful CISOs have already incorporated the values emphasized in the manifesto for Agile software development, reproduced below
- Individuals and interactions over processes and tools:
CISOs nowadays place a high premium on human interaction and people working together. Processes and tools can aid but can never replace human interaction. - Working software over comprehensive documentation:
All security software and applications should be working perfectly and should be monitoring all events and warning incidents effectively. Documentation is important, but effective operation is mandatory. - Customer collaboration over contract negotiation:
From the CISO’s perspective, stakeholders can include top management, peers, employees, enterprise customers, regulators and government authorities, as well as external vendors and service providers. The CISO needs to effectively collaborate and strive for a win-win relationship with everybody. - Responding to change over rigidly following a plan:
It is massively difficult for a CISO to plan for every incident, event, disaster or threat. Therefore, using the collaboration principle stated above, the CISO should be able to respond to all incidents and regulatory changes in a timely and effective manner
- Individuals and interactions over processes and tools:
- Servant Leadership
Globally, many successful CISOs have adopted a mindset of servant leadership. The term was coined by Robert K. Greenleaf in an essay published in 1970. Servant leadership is a leadership philosophy that states that most effective leaders strive to serve others, rather than accrue power or take control. Therefore, CISOs should focus on serving customers, partners, fellow employees and the community at large.
Leading By Example
In addition to the points above, CISOs should be able to lead by example by following best practices diligently, being tolerant of short-term failure and open to new ideas, and creating an environment of safety. Through this approach, and by staying true to their professional and ethical values, CISOs are here to stay as a community of elite professionals.
Author’s note: The opinions expressed are the author’s own views and do not represent that of the organization or of the certification bodies he is affiliated with.