Faced with escalating cyber threats and increasingly complex regulatory mandates, chief information security officers (CISOs) are experiencing growing pressure to protect critical information and infrastructure assets, while also embracing strategic business initiatives to integrate a comprehensive enterprise approach to cybersecurity.
“As organisations realise that cyber risk is intimately linked to their innovation and growth strategies, expectations of CISOs are changing dramatically,” says Ed Powers, principal, Deloitte & Touche LLP and US leader of cyber risk services.
“An effective CISO can no longer rely on his or her technical expertise alone.
“They must understand how strategic initiatives create risks and develop security programs that balance the need to drive business performance with the growing realities and complexities of protecting customers, intellectual property, and brand.”
Research findings from Deloitte’s CISO Transition Lab claims that this can be especially challenging for CISOs who are new to their roles and those who are hired from outside and don’t have deep knowledge of the organisation.
“One of the early expectations of a new CISO is that somehow you are going to step back and see the forest through the trees and be able to tell what you are going to do to make this security program take off,” Powers adds.
“That is where the results of the Transition Lab came into play.”
Findings from Deloitte’s CISO Transition Lab reveal that the highest priority for 77 percent of Lab participants is to promote better integration of business and information security strategies, followed by improvement of data governance and protection.
Improvements in the areas of security program governance and talent management are also named as key priorities.
“Going through the CISO Transition Lab enabled me to understand these dimensions and make choices about how I can better build my team as well as discern my role that enables me to give more value to my organisation,” adds Tim Callahan, chief information security officer for insurance company, AFLAC, the largest provider of supplemental insurance in the US.
“Given all the pressures of the job, without that, you’re always putting out fires instead of having meaningful impact on the risk posture of the enterprise.”
Deloitte reports common challenges shared by new CISOs, including a lack of resources and effective team structure, ineffective communications/reporting among stakeholders and throughout the organisation and inadequate governance including overall strategy and processes.
Furthermore, CISOs that are fresh in the role cite a lack of support or trust from executive leadership and stakeholders as well as insufficient funding as common barriers to overcome.
As a result, Powers believes a successful CISO determines early how to balance priorities and challenges.
“It’s in the CISO Transition Lab that the four faces framework is introduced and enables the enterprise security function to find and define their balance across four primary roles,” he explains.
Four faces of the chief information security officer
Strategist
Drive business and cyber risk strategy alignment, innovate and instigate transformational change to manage risk through valued investments.
Advisor
Integrate with the business to educate, advise, and influence activities with cyber risk implications.
Guardian
Protect business assets by understanding the threat landscape and managing the effectiveness of the cyber risk program
Technologist
Assess and implement security technologies and standards to build organisational capabilities.
Lab findings also indicate that, on average, CISOs today spend 77 percent of their time as “technologists” and “guardians” on technical aspects of their positions, and that they would like to reduce this investment to 35 percent.
“This demonstrates a recognisable shift in their desire to place greater emphasis on the “strategist” and “advisor” functions,” Powers adds.