Re-energizing the CISO

As the disruption of 2020’s coronavirus pandemic settles into something of a predictable rhythm, a handful of information security executives recently offered comments reflecting on the long-observed evolution of the chief information security officer into an absolutely indispensable strategic business leader for the large enterprise.

This role became even more clear in the rapid pivots to remote work and digital business delivery that were necessary in the early stages of the pandemic. Foisted into the ultimate crucible of digital transformation, CISOs were key technology and process innovators, making possible the safe, secure and seamless business operations that preserved untold scores of jobs and organizations.

Now, as conditions stabilize, what is the CISO’s current stature, its future state, and what will it take to get there?

“For a number of years, security leaders have counseled their peers and the leadership within their organization about the dangers of attacks from bad actors and from an ever-evolving compliance landscape. Unfortunately, businesses do not address un-realized risk at the same rate as something they have seen before. Now, more organizations have leadership, both at the C-level and board level, that have had a firsthand exposure to a cyber incident and the inclusion of information security is becoming more expected. Agreements with third parties and cyber liability policies are also forcing businesses to ensure their security programs are built to a higher standard. These multiple factors are resulting in an evolution of the security role from simply observing the business strategy to being a participant in its creation,” said Michael Mongold, senior director, information security and chief information security officer for Deckers Brands, in a contribution for a recent Voice of the Community piece for Evanta, a Gartner Company.

Both from the educational efforts of the security function and the simple growing awareness of worldwide cyber risk across business leaders, CISOs are increasingly a part of the conversation for major strategic business decisions.

So what will it take to maintain, and advance, that level of influence? For the same piece, David Lipscomb, director of IT security and compliance for ASM Global, provided thoughts on framing for the security leader role.

“Information security leaders are key players in business outcomes. They provide risk analysis, due diligence on mergers and acquisitions, and have policies in place that reduce the risks of data breaches.  As the roles evolve, business leaders will increasingly look to Information Security leaders to maximize the information ingested into their systems and use it to fuel business ideas and projects,” he said.