Charles Darwin said, "It is not the strongest of the species that survives, nor the most intelligent. It is the one most adaptable to change." With that in mind, is it time for the role of the chief information security officer [CISO] to change?
Since the birth of cybersecurity, arguably about 30 years ago, the role of cybersecurity within corporations has evolved. Thirty years ago, we simply needed a great technologist to install anti-virus software and a firewall. But today, revenues and websites are inextricably linked.
Over the past 30 years, CISOs have risen through the ranks as technologists. Universities didn't offer undergraduate education in the role of a CISO back when they started their careers. How could they have been expected to? It was a brand new responsibility.
Compare the career path of a CISO to that of a chief financial officer: As an aspiring CFO, you'd graduate university with a variant of a commerce or accounting degree, then perhaps serve as an accountant and earn your spurs at a company until you were awarded the responsibility of CFO, years later. Or what about a CEO? An MBA might prepare you.
But unlike in the past, the contemporary role of the CISO is no longer purely technical. It is now time for the role of CISO to mature into the primary responsibility it was destined to become: one rooted in a deep knowledge of technology and combined with sharp business acumen.
The modern CISO needs to understand the entirety of what's going on within a corporation, from how their team's decisions will affect business, to how the decisions of other departments will affect revenue streams. The ability to articulate business risks to the organisation and to the board is also imperative.
Until new graduates of university-level cybersecurity programmes earn their stripes and their gowns, we will have to accommodate CISOs who might not be so well-versed in business.
To solve this issue, I argue the CISO should report to a person within the organisation who understands risk, can articulate it in business terms and, since cyber is so critical to an organisation, this person needs to have a seat on the board. This could be the general counsel.
The general counsel's primary responsibility is to mitigate risk to the organisation. If an old-school CISO technologist reports to a general counsel, the latter might have a better chance of understanding the elements of online risk, how those risks fit into the overall health of the organisation and how to articulate this to the board.
Or perhaps it's time for the CISO to report to the CEO, argues Peter Alexander, chief marketing officer of the cybersecurity firm Check Point Software Technologies. How times have changed: Peter remembers 30 years ago, "when the chief information officer [CIO] used to report to facilities management! This was the day when information technology largely consisted of looking after communications tools like phone systems and fax machines."
At the very least, the CISO should no longer report to the CIO. For a start, the two are often at odds regarding budget. Simply put, the CIO receives an annual bonus based on his or her ability to save the organisation money. This works well in IT, where life typically gets easier due to the ingenuity of amazing technologists making better and cheaper tech tools for business and life.
Not so in security, where we experience the opposite. Life gets harder because of the ingenuity of bad actors. The CISO needs to spend money. His or her primary concern is to buy the best technologies and hire the best staff and/or security team to protect the organisation against new and evolving threats. When a potential breach looms, the department of the CISO shouldn't have to buckle under the weight of saving money while defeating hackers. When it's time for war, the objective is to win.
Whether a CISO should report to the general counsel or the CEO, the strongest of the CISO species that will survive are those most adaptable to change.
Edwin Doyle is Global Security Strategist at Check Point Software Technologies.