Rethinking cybersecurity leadership in a shifting threat landscape
By Paul Watts, CISO Leadership and Strategy Advisory and Distinguished Analyst, Information Security Forum
Last year, 343 million people were victims of data breaches, costing business $4.88 million on average; the costliest cybercrime is business email compromise, accounting for $3 billion in losses. And yet, only six percent of CEOs view cybersecurity as a top priority. The fact is, there’s always been a misalignment between the business and security leadership over cybersecurity resilience.
On the surface, the poor perception of cybersecurity business value seems like a communication issue. Most CISOs struggle to speak the language of business while non-technical leadership struggles to grasp technical jargon. Looking at the problem more closely, the issue may be more deeply rooted in the structure of traditional cybersecurity teams and security leadership roles.
Hub-and-Spoke Centralised Operation Model No Longer Fit For Purpose
Most cybersecurity teams began as transactional, service-oriented functions, taking orders from IT teams or the business. But as these functions evolve and become more independent (particularly in large organisations), they take on a more centralised role wherein it is assumed that their job is to enact risk management and have oversight across every single business aspect and process. Whilst CISOs believe they are helping to protect the business the perception or image can in fact be the opposite — 43% of boards see CISOs as being too repetitive, nagging, or overly negative.
The truth is that everyday security, compliance, and oversight activities can be so overwhelming and burdensome for CISOs that they end up spreading themselves too thin losing sight of business priorities and direction. Eventually the relationship between security and business teams suffers, and perceived value reduces.
The CISO Moniker Is Also Being Abused
There has always been misconceptions and confusions around what CISOs actually do and what is expected of them. For example, there’s a 35% rise in CISO roles being filled without organisations fully understanding what their roles entail.
Some CISOs don a flashy title but oversee only a small aspect of security functions; some CISOs have limited influence and are not included in strategic decisions; some CISOs are simply hired to meet compliance or regulatory mandates, such as the SEC Cyber Disclosure requirement. This abuse of the CISO moniker along with its confused remit does little to promote net worth in a disengaged business and boardroom.
Decentralising Cybersecurity with a BISO
A majority of recently surveyed CISOs (84%) believe that the CISO role should be split into two functions – business and technical. However, the reality is that modern CISOs need to spend an increasing proportion of their time working with business leadership, developing valuable security strategies that align to business objectives whilst ensuring the business stays abreast of risks, threats, regulations and compliance.
An emergent new role – the Business Information Security Officer (BISO) role – is helping CISOs to achieve this, focusing on forging closer bonds with regional and business teams, designing the right security value proposition that supports strategic or departmental objectives.
The BISO also serves as the arms and legs of a CISO, driving the execution of security strategies across the business and feeding the CISO with much-needed business insights and inputs. These inputs enable CISOs to better align security strategy with the business strategy and break down communication barriers between business and cybersecurity teams.
The decision to onboard a BISO eventually comes down to the scale of a security team and the organisation’s geographical distribution. CISOs of smaller businesses can consider breeding “security champions” in the first instance — aligning cybersecurity closer to the business itself, which may start to deliver the progressive changes required to organisational security culture. That said, it’s not just the responsibility of the CISO to understand the business better; it’s equally important for business leaders to take deeper interest in the cybersecurity strategy. Having transparency about the CISO’s role is crucial to ensure CISOs are set up for success and can effectively manage risks and drive security resilience across the organisation.
Further information
www.securityforum.org/meet-the-experts/paul-watts
