Over the last several years, the role of the chief information security officer (CISO) has undergone a critical transformation from technical guru to core member of anorganization’s senior leadership team. But in highly regulated, complex industries such as financial services and healthcare that harbor large amounts of personal information, the role is undergoing a further evolution as sensitive data takes on an increasingly central role in all parts of the business.
This more information-centric environment, which is still taking shape, calls for a different way of thinking about and managing risks within the organization (see Figure 1). This change in thinking includes:
- A move away from the traditional cybersecurity focus on tactical elements like email hygiene and firewalls to a more strategic view centered on the data itself.
- Less emphasis on responding to threats and more on instilling appropriate behaviors and managing perceptions of risk.
- A shift from building higher walls and deeper moats that prevent intrusion to ensuring customized value-based risk management that protects each information asset.
A new profile for a more strategic role
The CISO thus will evolve from the unsustainable “cyber czar” position to become responsible for managing the organization’s information risks, supporting and sustaining the appropriate risk management culture and engaging with the C-suite regarding the use of new technologies and the information-risk implications of entering new businesses. Indeed, we can see the beginning of this shift as some sophisticated organizations (especially in financial services) adopt titles such as “Chief Information Risk Management Officer.” This is a welcome development, given that making cybersecurity everyone’s responsibility has been a longstanding goal of the information security community.
In the years ahead, the new breed of information security leaders will need to focus on:
- Establishing uniform perspectives and behaviors that can crystallize into social norms regarding the use and handling of information at work – even when those norms are different than those governing how people handle personal information at home.
- Managing the uncertainty and ambiguity that comes from the shift to a front-line, decentralized approach to information security
- Having exceptional strategic orientation and the ability to communicate and influence outside of one’s chain of command.
- Technical savviness and broader business understanding, as the role expands from just addressing cybersecurity threats to the broader mandate of managing information risk.
These changes will only take place, however, after the necessary perception and behavior regarding information risk and security becomes broadly ingrained throughout the organization. Until then, information security leaders will have their hands full creating that consensus and nudging us to a more secure future.