The need to establish the role that was to be the Chief Information Security Officer (CISO) arose as cybersecurity was becoming a major concern for organizations that were gradually transitioning towards digital operations and there was a need to have someone ensuring continuous operational efficiency and security of the enterprise. As such, the CISO is a fairly new role that was established within the C-suite level, with the first recorded appointment to the CISO role made only in 1995.
As the digital environment continues to evolve and organizations continue to use a remote or hybrid workforce, the CISO’s role remains as critical as ever. In fact, the CISO’s importance rose to such a level that they hold the entire weight of the organization’s data security in their hands. However, some challenges remain to be addressed, particularly one that pertains to the working relationship between the CISO and other members of the C-suite.
Shifting expectations
But alongside the continuing evolution of technology, expectations for the CISO role have changed dramatically across organizations in recent years. This has been attributed to not just the technology aspect. Among other things, there are also factors such as the increased scrutiny from regulators and growing demands for accountability for security breaches.
Many CISOs also find themselves acting as the bridge between the business side and technical side. Thus, there is also a need for them to speak the language of both sides, which is critical especially in matters of cybersecurity within the organization that would warrant action from the business side.
As a result of these changing expectations, CISOs are increasingly being asked to assume the responsibilities of what would normally be considered a C-suite role. However, they are not being regarded or treated as C-suite at many organizations. Looking at it on a macro level, it reflects a greater challenge for CISOs as they try to find their place at the leadership level.
The anti-CISO bias
Indeed, in some organizations, there is a perceived anti-CISO bias despite the critical importance of the role in their IT and network operations. This has been attributed to historical bias as CISOs are often perceived as “techies” who are not capable of learning the business language, despite the efforts by CISOs to learn the business language to bridge the technical gap, as was pointed out earlier.
Inertia is also another factor in this bias. This is especially true in large, complex organizations, where it takes time to adjust to new challenges and organizational shifts.
Because of these biases and challenges, CISOs tend to be siloed when it comes to skills development, particularly executive skills development, which is valued at the C-suite level.
If CISOs are to be considered as a keystone within the organization, the longstanding perceptions about their role and what they do need to be changed. The key to addressing the anti-CISO bias is to establish an alignment between the CISOs and the rest of the C-suite.
Relationship with the CIO/CTO
Historically, enterprises would appoint Chief Information Officers (CIOs)/Chief Technology Officers (CTOs) to perform the functions the CISO now performs and only hired CISOs when their security needs or regulators demanded it.
Because of this, some organizations have put the CISO role under the CTO. In the current tech executive market, that is no longer the case as CISOs now command as much, if not more than the CTO. There is also the problem in resource allocation as the CIO/CTO tends to get more of the organization’s budget for large technology projects rather than security and the CISO only has a limited capacity to influence their security budget as a result of having no direct line to the board.
Thus, the first step in aligning the CISO with the rest of the C-suite is for the organization, particularly its board, to acknowledge that the CISO is a unique role in itself and no longer a subset of the CTO/CIO role, with specific functions, priorities, and needs that warrant the support of the whole organization.
Alignment with the CEO
Key to this CISO support is the full support of the CEO, with the CEO providing the CISO with the resources the latter will need in order to effectively perform their functions. For one, the CEO has the authority to provide such resources, especially the budget. More importantly, the CEO has the power to provide the CISO the authority to make critical cybersecurity decisions in a swift manner.
Given the complexity of the cyber threats in the wild, the CEO granting the authority and resources at the CISO’s disposal is critical for the organization to respond promptly and fend off impending threats. Thus in establishing this alignment, CISOs should communicate with the CEO in clear, everyday language. Effective messaging is the key and should go in both directions.
Alignment with the CFO
While the CEO has the authority to approve budgets, the CFO (chief financial officer) decides on how those funds are given out. Admittedly, getting the CFO to understand the need for security-related resources might be more difficult.
Since CFOs like to see hard data, CISOs can create a security plan that would show the threats defended against and how they were defended against, as well as where attackers were aiming in a given period. With that information in hand, the CISO and CFO can create a plan for the upcoming fiscal year. Regular reviews ensure fewer or no surprises in succeeding budget requests.
Aligning the CISO with the C-suite requires a huge shift in perception and an openness to change. While some organizations would be resistant to these shifts, the ever-changing technology environment, particularly the threats that come with it, necessitates making these shifts if the organization is to survive and thrive moving forward.