The changing nature of the CISO

Fortinet Field CISO’s Alain Sanchez and Daniel Kwong examine how the role of the CISO has changed over the year and what role they will assume in 2023

As we head into 2023, the role of the Chief Information Security Officer (CISO) is shifting more than ever. As cybersecurity remains a board-level discussion, and cybersecurity risk continues to increase, CISOs have substantial access within an organization, but also face significant pressure.

The biggest shifts for CISOs in terms of their role in a business in the last 3 years
In recent years, the role of the CISO has shifted dramatically. With the rise of cyber attacks, CISOs are now expected not only to protect data, but also to be proactive in identifying and preventing potential threats. In addition, CISOs are now often tasked with developing and implementing security strategies for the entire organization, not just the IT department. With the ever-changing cybersecurity landscape, CISOs must continuously adapt their strategies to stay ahead of the curve.

A decade ago, those who are now referred to as “CISOs” were not considered nearly as important as they are today. Quite often, at the time, they got answers such as, “Can’t you see I’m working?” or, “Oh no, not you again!” Today, the same people get a dedicated seat in that same boardroom. And, many CEOs ask them important questions, valuing their response. These questions actually call for answers, and perhaps the most amazing change is in the tone that is now used. “Can you provide insight into whether or not we can buy this company?” or “If you wouldn’t mind, can you prepare metrics regarding our cyber posture to present to our stakeholders next week”? The newly regarded CISO gets a budget, a team, and the right to directly recruit. Sometimes even, the voice of the CISO prevails over other long-standing professionals established on the upper floor. In fact, over the last few years, the teleworking policy, the collaborative database, legal reporting, and even the development roadmaps of innovative core applications have been placed under their direct leadership.

The shift in the role of the CISO from an operations focus
In recent years, there has been a shift in the role of the CISO from an operations focus to a strategic one. This is due to the increase in demands placed on CISOs to protect organizations from cyber threats. In order to be successful, CISOs must now have a deep understanding of the business, its risks, and its goals. They must also be able to build and maintain relationships with key stakeholders.

One example is that the board wants more than just a service-level agreement on security incident response. Instead, they are looking for a protection-level agreement to ensure digital assets are continuously patched and protected to proactively react to cyber incidents that may cause business disruption.

Gradually, the CISO has become more involved in the decision-making processes. Almost systematically now, when innovation is involved, the CISO’s voice makes a difference. And that difference is not about saying no all the time. Rather than speaking from the voice of “Mister No” the CISO has turned into a source of inspiration for innovation, rallying data analysts and software developers under the same banner of secure operations development. In order to do so, the CISO and their team have initiated a healthy dialog between production, marketing, finance, and even HR and Legal. As a consequence, this has shifted the focus from bits and bytes language towards more business-oriented notions such as risk, market footprint, and compliance.

Important strategies for CISOs in 2023
CISOs should always keep in mind the importance of strategy when demonstrating business value. This means considering both the short- and long-term effects of decisions, and making choices that will benefit the company as a whole. In the short term, it may be tempting to cut corners or take shortcuts, but doing so could jeopardize the company’s security in the long run. It’s crucial to remember that the goal is to protect the organization’s data and assets, not just to save money. An effective way to demonstrate business value is to understand the “kill chain” of a business. Most CISOs are very familiar with the technical concept of the cyber kill chain in cybersecurity, but it’s important to also understand the impact a cyber attack can have on critical operations and the revenue or reputation loss that may result from it. CISOs should keep the assets or data being protected top of mind, ensuring they are prioritized according to the business value kill chain. Place a higher focus on risk management tools for assets and data that have a critical impact on business operations.

The CISO should keep in mind a holistic approach when considering the benefits of the solutions. When discussing secure access, for instance, the deployment of authentication technologies could seem like a change of behavior in the eyes of users who are only exposed to VPN once a day. However, the overall benefit of a whole infrastructure dynamically protected by a holistic ZTNA strategy is far superior to securing the session, the application, or the segment. The CISO must be fluent in articulating these benefits and expressing them in terms of risks so that the stakeholders understand that the pros outweigh the cons.

New roles “expected” of CISOs in today’s organizations
The role of the CISO has evolved and expanded to meet the ever-changing needs of organizations. Today, CISOs are expected not only to be technically savvy but also strategic thinkers who can help organizations navigate the complex cybersecurity landscape.

In addition to traditional CISO responsibilities such as developing and implementing security policies and procedures, CISOs are also expected to have a deep understanding of business operations and objectives. They need to be able to align their security strategies with the goals of the organization and create programs that effectively protect against cyber threats. As the cybersecurity landscape continues to evolve, so too will the role of the CISO. Organizations will continue to expect CISOs to be innovative and adaptable leaders who can help them stay one step ahead of the latest cyber threats.

In today’s organizations, it is important for CISOs to serve as a leader of change rather than a manager of technologies. Digital transformation is such a big wave that the successful deployment of advanced cybersecurity solutions involves the entire company, all employees included. The human dimension of the role is a key success factor when you consider that 60% of transformation projects continue to fail for having underestimated the user adoption aspect. Policies that change the way people work, such as teleworking, ZTNA, or DevOps need to be explained before they are enforced. Explaining the why of cybersecurity becomes just as important as implementing the how.

Conclusion
The CISO’s role is no longer just about protecting the organization from cyber threats. CISOs are now a key business enabler, tasked with delivering business value. Acting as a Risk Controller reduces operational risk and enhances the organization’s security posture by acting as a change agent. Further, today’s CISO acts as an effective communicator to the board of management to help close the organization’s cybersecurity gaps.

With more risk, more visibility, and more leadership, the role of the CISO becomes much more interesting, embracing every key department of the company including the lines of production. Today’s CISO is not only an expert in technologies, but is also a strategist, an influencer, and a source of inspiration throughout the entire value chain.