In an age of extensive data theft and aggressive regulations, the role of the CISO is not one for the faint-hearted. Matt Cockbill, Head of the IT & Digital Leadership Practice at Berwick Partners was recently asked for his opinion on whether he thought CISOs were ‘burning out’.
I confess the question took me a little aback. I see it as a one of the most exciting seats in a business’ senior leadership team with much to do! Between the threads of technology, change, commercial alignment and asset protection, there is plenty to occupy these defenders of the corporate realm. Perhaps that is the point; are CISOs getting sufficient buy-in and support from their Board to be successful, or are they at risk of being over stretched?
No doubt, the contemporary CISO has a big task in hand, but has many tools at their disposal. The most obvious is technology. The spectacular rate of IT change is hard to match, bringing new interdependencies, integration points, potential risks and threats. However, fighting fire with fire, CISOs are using AI, ML and RPA to automate the identification and response to threats by internal teams and external partners. Get this right and technology will drive enhanced protection, prevention and commercial advantage.
This leads neatly onto the area of talent. With CISOs and security service providers all seeking to secure such scarce skills for their teams, the demand for quality talent currently outstrips supply. The right talent brings skills and experience able to adapt and evolve – critical in keeping the enterprise secure. A CISO must be adept in recruiting, managing and retaining talent. And where it can’t be found externally, grow its own from within. What must come next is exceptional leadership; the fine art of motivating direct and supplier teams to deliver exceptional shared outcomes.
Alignment to commercial purpose
Underpinning these considerations is the need to align people and technology to a commercial purpose. Whether this manifests in a need to meet regulatory compliance, or to enable nimble commercial operations, it is through dextrous leadership that information security and cyber solutions gain trust and sponsorship from commercial stakeholders. An effective CISO creates the secure space for commercial leaders to operate and drive the delivery of new products and services. Consider data; a short time ago considered the ‘new oil’ and an off-balance sheet asset to be managed. With the onset of GDPR, it is now equally considered a liability with risks to be managed.
However, it is the ‘normalisation of cyber & information security’ into every aspect of business operations which is the most effective tool in creating positive and effective security outcomes. The most effective behaviour change is always led ‘top down’. So the hard fought board sponsorship required to fuel security investments must translate from words into deeds. Boards must be advocates for change, leading by example to ensure ever evolving operational security effectiveness.
What is clear is that the CISO role is not for someone who can be easily deterred. No doubt some are worn and weary. The responsibility for success lies in the effective partnership between the security function and the rest of the leadership team. Boards must select carefully and then back their CISO fully. In the meantime CISOs must continue to evolve and meet the challenge head on; there is plenty to go for!