The Emerging Role of the Chief Information Security Officer in the C-Suite

Today, no business executive would disagree with the statement that cybersecurity is a business issue, not just a technology issue.   An increasing number of businesses and governments experience cyber incidents and the way they handle such incidents can have a significant effect on their reputation.

A cyber incident can cause a number of damages for companies.   One is damage to business continuity.   If a company’s IT system or operation system is compromised, the company may need to make a judgment to stop operations of those systems.   The second type is loss of stakeholder trust.   Today, business transactions are conducted under the assumption that information provided by companies is accurate and reliable.   If a company’s IT system or operation system is compromised and information is manipulated and the company cannot guarantee integrity of the information it provides, then the company is unqualified as a trusted business partner.

Along with this, digital innovation is emerging as a new reason why cybersecurity is a business issue.  Many innovations are taking place in all parts of the world in the form of AI, big data, robotics, fin-tech, biometrics, etc.  Unless a company is digitally secure, it cannot internalize digital innovations into its business system and leverage them for value creation.   In the age of digital innovations, cybersecurity is becoming an imperative for business growth, presenting a new challenge for the C-Suite.

Cybersecurity has traditionally been a topic that only a few executives are expected to understand.  However as additional security concerns spread across a business, cybersecurity is now a topic that concerns all members of the C-Suite.  For example:

  • A Chief Financial Officer needs to ensure secure transactions between financial institutions or business partners.
  • A Chief Marketing Officer needs to master how to ensure cybersecurity in marketing activities via digital and social media, and
  • A Chief Human Resources Officer needs to ensure that digital recruiting processes are secure in a competitive market.

 

A New Opportunity for the CISO

How cybersecurity is addressed with regard to each managing function needs to be harmonized under company-wide priorities and principles.  This presents a new opportunity for Chief Information Security Officers (CISOs).  Traditionally, a CISO has been a supporting role for the Chief Information Officer or the Chief Risk Officer.   However, a CISO now needs to interact directly with all C-suite members.  The C-Suite needs to agree on what the company wants to protect from a holistic perspective and the CISO needs to facilitate these discussions.

To facilitate these discussions, a CISO should ask below questions to C-suite.

  • “What are our crown jewels that we want to protect with top priority?”
  • “What are business consequences if those crown jewels were damaged?”
  • “How much investment are we willing to make to mitigate those risks?”

Across an organization, there are many solutions to ensure cyber resilience.  As a technology solution there are Managed Security Services.   As a financial solution there is cyber insurance.   An operational solution may be a Computer Security Incident Response Team (CSIRT) or employee training.   A legal solution may be fiduciary actions based on a lawyer’s advice.  The key is to integrate these solutions into a cybersecurity strategy that supports the business priorities of the company.  Who leads this effort is not defined in many companies.  This is a new space in corporate business management and a new opportunity for the CISO.   By taking on such a role, a CISO can provide company-wide impact and contribution because if CISO plays such as role, cybersecurity strategy becomes a comprehensive and integrated package rather than an aggregation of independent tactics.  It is owned by entire C-suite and woven into company-wide business strategy.