CISO evolving role

The Evolving Role of the CISO: From Risk Manager to Business Enabler

One of the first things I do in my role as chief security officer is reach out to the heads of other departments to find out how I can integrate myself into their operations. In one more extreme instance, I asked if I could join the sales department on a part-time basis. Not as a salesman, but in my role as CSO. The head of sales was a bit perplexed, but agreed. For a year I participated in sales meetings and even went on sales calls.

You may be thinking: You’re a chief security officer. Why would you spend a year in the sales department, even part time, when your job is to protect the company from security breaches and ensure that it remains compliant?

I would answer that merely protecting the company from security breaches and ensuring compliance is actually not a very good descriptor of my job, nor the job of my peers and colleagues around the globe. Not in 2017, not in 2018, and certainly not in the years ahead.

The Transition to Business Enabler

The role of the CSO, or as many prefer, the Chief Information Security Officer (CISO), is evolving at a faster pace than ever before. The CISO now must identify himself or herself as a business enabler and, just as critically, he or she must be recognized in the same way by others—from the boardroom to the executive suite to the various lines of business and departments that keep the organization focused, functioning, and moving forward on a day-to-day basis.

If the CISO is empowered to enable the business, he or she must speak the language of business and be conversant with the basic activities and values of the business. Twenty years ago the job was basically to manage the firewall and secure the perimeter. You didn’t have to know much about what you were protecting, as long as you knew which technology solutions would do the best job of keeping the bad guys at bay.

The world today is much different. Digital technologies and connectivity have infused every aspect of the business. This elevates risk, but it also elevates the value and importance of the cybersecurity function. The CISO increasingly has a seat in the executive suite because security is no longer just about risk; it’s also about competitive differentiation.

The Evolution of the CISO

What are the skill sets that will differentiate the best CISOs from the rest? What do business leaders and board members expect from their CISOs, now and in the future? How can CISOs ensure that we are truly enabling the business, while still performing our fundamental responsibility of having a secure company and a secure customer?

To business leaders and board members, I suggest ensuring that your CISOs are focused on three specific areas.

1. Ensuring that the organization is extremely disciplined in the things that are known. This should encapsulate the basic tasks of the cybersecurity domain—controls, vulnerability scanning, patch management, application security, and more. If you can’t deliver on the basics, you can’t deliver, period.

2. Becoming proficient in addressing today’s more expansive expectations. For example, CISOs can talk about risk management, but they need to actually define it and articulate it for their organizations, so decision-makers understand what they are investing in, and why. CISOs must be proficient in empowering specific initiatives that are impelling their organizations forward, such as cloud computing, modernizing legacy applications or enabling secure mobility, digital transformation, and other organizational imperatives.

3. Analyzing, predicting, and preparing for the future. Technology is moving at a rapid pace, to be sure, but there are certain things we can predict about the future with pretty clear certainty. We know that the Internet of Things is something we must make secure. We know that IT consumerization will continue to redefine customer expectations. We know that jurisdictional fiefdoms are continuing to impact how we think about security. We know that technologies such as artificial intelligence and machine learning will help drive innovation, within our own organizations and among our adversaries.

CISOs must be thoughtful and proactive in advancing security into these domains before they become a problem. Business enablement is more than merely being aware of these responsibilities and challenges; it also requires that we become excellent and proficient in communicating, collaborating, interacting, and managing our inter-relationships within the organization.

Clearing the Lines of Communication

It is not simple to evolve from the kind of cloistered, poorly communicating security department that has characterized many organizations into an operation that is fully engaged and adapted. You need to have the buy-in, support and prioritization of the security function across the organization, whether that is sales, marketing, development, customer support, or any other business function or department.

The only way to get that buy-in is through communicating and transitioning the language of security into a language that business people understand. CISOs have to step outside of the security domain and see what value they can add throughout the organization. In my experience, there are four fundamental objectives the CISO must be thinking of when communicating within the organization:

  1. How can cybersecurity help generate, protect, and ensure revenue?
  2. How can cybersecurity help retain existing customers?
  3. How can cybersecurity help differentiate against competitors?
  4. How can cybersecurity drive operational efficiencies and effectiveness?

CISO: The Next Generation

Tomorrow’s CISOs will have to be on intimate terms with every aspect of the organization. I think it is wise for security professionals to follow the intent of an MBA rotation program and spend a quarter inside the marketing organization, a quarter inside sales, a quarter inside finance, a quarter inside HR or manufacturing, or some other department central to the overall operations of the business. You get a basic, simple education over time. It’s not academic. It’s real. You get to watch the everyday lives of your constituents. It helps you change your security model and mindset.

People often ask what characteristics to look for in potential CISOs. The first thing I look for is someone with a strong moral compass. I look for people who will do things beyond their responsibilities. If she sees something wrong, she fixes it, without looking for credit. I look for people who have a basic curiosity.

We are a horizontal function across the business. I want someone who wants to ask: How does the business operate? How does it grow? And I certainly want someone who is curious about security technology. If you’re not curious about new technology, you’re not going to take the time to explore new ways of doing things. In cybersecurity, we always have to be willing to adopt new technologies and new solutions to solve new problems.


This is a great time to be a cybersecurity professional. Our role in our organizations, and the world, is becoming more critical and more highly valued. It also means we take on more pressure and have more responsibility. Doing things the way we’ve done them in the past just won’t cut it in today’s environment.

To prepare ourselves and our organizations for the future, we must understand and speak the language of business enablement. We must be curious about how the business works, and we must be articulate in explaining how we can help. We must evolve and we must do it quickly. The Digital Age isn’t waiting for anyone.

Justin Somaini is the Chief Security Officer of SAP, responsible for SAP’s overall security strategy. With more than 20 years of information security experience, in senior level positions at Box, Yahoo, Symantec Verisign and Charles Schwab. This article was excerpted from the soon to be published book Navigating the Digital Age, Second Edition.