As the role of the CISO continues to evolve, areas that were once the personal responsibility of the CISO will shift to other members of their team. Just as a CMO with a background in PR hires a head of PR, the “techie-turned-executive” CEO—who was once mostly focused on the latest technology—will have to rely on other team members be the most credible technical sources in the room and stay up to date with the latest security advancements.
What does that mean for the CISOs of tomorrow? How will how they shift their focus to the “executive” aspects of their roles and build out their teams? How will they prioritize their roles and responsibilities? How will they interact with and communicate to the rest of the organization, whether it is the board, the C-suite, their own teams or the rank and file?
Working with my colleague Jamey Cummings at Korn Ferry and Paul Calatayud from Palo Alto Networks, we have identified the top five things CISOs will need to prioritize as they shift their focus to a role of business enablement, higher visibility, and greater accountability. They are:
No. 1: Addressing the cybersecurity skills gap and increasing cyber awareness.
This is a current challenge that is only growing. Addressing these needs sets the foundation for everything else the CISO must do in the coming years. Since the cybersecurity landscape is constantly changing, in addition to attracting new talent to the industry, continuous training and skills development for existing teams are essential. As different business units move data and services to the cloud, the CISO must develop programs and personnel to train the entire organization on proper cyber hygiene and cybersecurity awareness.
No. 2: Incorporating regional laws and regulations into cyber strategy
For multinational companies, larger strategic regional teams will be needed to address the complexity of data and privacy laws. GDPR, for example, is a regulation that is global in nature because of the number of companies around the world it impacts. When thinking about regulations like this, the question for companies becomes: how do you create capabilities that address something like GDPR in the context of European stakeholders while still considering Canadian or U.S .privacy laws?
No. 3: Embracing the DevOps philosophy
DevOps is a movement to reduce the technical inefficiencies between IT, developers and security teams. It is about automating the deployment, maintenance and security tasks that these teams have traditionally done manually and separately. What DevOps means for CISOs and security teams is that cybersecurity is starting to be prioritized at the outset of any IT-related project. CISOs who embrace the DevOps concept and prioritize DevOps roles on their teams will be better aligned to the rest of the organization in the coming years.
No. 4: Tackling IoT Security (Corporate and Personal)
According to Gartner Research, the projected number of connected devices is expected to reach 20 billion by 2020. With this comes more security risks. CISOs will need to start thinking about how to not only protect the IoT devices that are corporate property, but also the personal devices that are coming in and out of their networks. Oftentimes, IoT devices connect to company laptops or mobile phones that have legitimate access to the corporate network. It’s reasonable to assume that, if a personal IoT device is compromised, the corporate network might be vulnerable as well. Progressive CISOs will need to think about how to guard against threats posed by personal devices and figure out which members of their team are best-suited to manage that.
No. 5: Aligning with Product and Physical Security
While product and physical security teams might not fall under the CISO’s umbrella today, they will become increasingly intertwined as cybercriminals become more creative. CISOs should be thinking about how they will better align with the groups responsible for these disciplines to make sure that cybersecurity is consistent across all areas of the business.
Cyber risk touches every area of a modern business and the importance of the CISO and InfoSec Team is growing. Regardless of how these roles evolve in one organization versus another, CISOs will always have to go back to the same basic question: what do we need to prioritize to help keep our particular business secure and thriving? To learn more about what CISOs can do today to keep their businesses secure and thriving, see part four of our series: What CISOs Can Do Today, coming next week.
View the full report that outlines what’s ahead for CISO leaders.