The CISO Evolution – From IT Operations to Earning a Seat at the Table
With the escalation of cybercrime, the role of Chief Information Security Officer (CISO) is fast evolving beyond its traditional operational functions of monitoring, repelling and responding to cyber threats. Continuous changes in our connected business landscape make customer data, intellectual property and brand properties new targets for information theft, which can directly impact business performance and shareholder value. In response, CISOs are progressing to a stronger leadership role, with an imperative to move beyond the confines of reaction and enforcement.
As I looked to this list of influential security officers across a broad spectrum of industries, I realized we are all tasked with an evolving and challenging assignment to secure the integrity of our businesses and customers – integrate fully within the organization, strategically approach information risk management and lead the transition toward a culture of shared cybersecurity ownership across the enterprise.
The losses stemming from modern cybercrime are not limited to high profile attacks. While 2016 brought sensational headlines of a half billion records stolen from a leading online search portal (and a subsequent massive devaluation), catastrophic hacks to a major political party and serious attacks on other corporate giants, small-to-midsized businesses were just as vulnerable.
Many organizations can quantify the revenue losses they experience due to public breaches. 29 percent of security professionals responding to our 2017 Annual Cybersecurity Survey said their organizations experienced a loss of revenue as a result of cyberattacks. Of that group, 38 percent said that revenue loss was 20 percent or higher. There is also an impact on customer attrition. 22 percent of responding organizations said they lost customers as a result of attacks. Of those, 39 percent said they lost 20 percent of their customers or more. These are very high stakes.
Such dramatic consequences are possible because of the significant maturation of cybercrime. The situation has quickly advanced from unrefined “old school” hackers to “new school” professional cybercriminals linked to multi-billion dollar businesses with targeted ROI and sophisticated supply chains. It’s a new form of organized crime, against which securing a business is not keeping pace. The lack of security not only increases risk of harm to existing operations; it can also hinder innovation and the progress of mission-critical initiatives.
Therein rests the CISO’s challenge and opportunity. Much like how the Chief Information Officer’s (CIO) role went through a decade of change, from running infrastructure operations to becoming a business enabler and senior leadership peer, the role of the CISO is following a similar journey. The Guardian and Technologist is giving way to the Business Strategist, the Business Enabler and the Trusted Advisor, who articulates risk, reviews metrics and reports regularly to the board. The importance of this shift is evidenced by increasing changes in CISO reporting structure, with 35 percent reporting directly to the CEO or President. Also, the rate at which Boards are formally updated on cybersecurity risks has increased by ~20% in 2017 over 2015.
This greater business engagement requires CISOs to realign priorities and perhaps build some new skills. It’s a compelling moment of opportunity and responsibility for a profession that is emerging from the backroom of IT to a much needed seat at the boardroom table.
 Source: Forrester, 2015
 Source: Forrester, 2015