Founder and CEO, Corix partners | Author “The Cybersecurity Leadership Handbook for the CISO and the CEO” | Board Advisor | Non-Executive Director
In many large organizations, I notice that defining and structuring the role of a chief security officer (CSO) is starting to make more and more sense. The concept is not new and is generally used to encompass all aspects of security that a company may face – physical and digital.
I think it’s time to take a broader look at it in many large companies. Broadly speaking, the role of the CISO (chief information security officer) has that failed to drive change and build sufficient momentum around cybersecurity issues over the past two decades.
This is likely caused by an excessive technology focus, which has trapped CISOs in technical firefighting and prevented them from adequately reaching the company and developing sufficient management and political acumen.
As the penny drops in the boardrooms and the “when-not-if” paradigm dominates around cyberattacks, I see the implementation of protective measures becoming paramount, alongside risk appetite or compliance considerations.
It increasingly seems that many CISOs feel trapped in an impossible role where they are expected to be audible and credible across the depths and breadth of the enterprise, from boards and regulators to pentesters and developers. This is something I’ve seen all too often in the field myself as a CEO and board advisor.
I believe that no profile can effectively achieve such a wide range of skills, and it is starting to make sense to develop the role by separating the components it has accumulated over the years.
This is made all the more important by increasing regulatory and reporting pressures, which have steadily increased over the last decade for all companies in all sectors of the industry: it started around data privacy with the GDPR in Europe and many similar state regulations in the US. Reporting requirements are now evolving at the federal level, and governance aspects are also receiving increasing attention strict supervision.
This regulatory intervention is simply the result of devastating cyber attacks that have threatened or affected major infrastructure components and highlighted in broad daylight the extent of the disruption these types of events can cause.
As a result, senior executives have begun to look beyond traditional business continuity approaches to pay more and more attention to it resistance concepts. All these aspects (cybersecurity, regulatory compliance, resilience) have one key element in common: they are multifunctional and require a reach across business silos to be effective and efficient.
I would add that on those three fronts the risk dimension is becoming more and more obsolete. It is no longer about events that may or may not happen, but simply a business reality that must be taken into account in the way the company operates.
These factors are driving momentum behind a redefined role for the CSO, or chief security officer, that oversees physical and cyber security, as well as data privacy, operational resiliency and associated compliance and regulatory reporting obligations. I believe a role of this size would make sense in most companies and function from the top of the company as part of the most senior management team.
If viewed as a senior management role, it can focus on building the necessary cross-functional channels, ensuring they remain active and bridging business and political issues by bringing enough seriousness and credibility to the issues involved.
In my opinion, we are miles away from the current role of most CISOs (our starting point), but that doesn’t make their work any less relevant. On the contrary, it presents an opportunity to refocus the role of the CISO on its original technical content and give it a refreshed currency by doing away with the layers of business added over the years, for which its holders – most of them technologists by profession or background – perhaps ill-prepared.
A dual reporting line to both the CSO and the CIO (chief information officer) would then make sense for the CISO and provide a degree of independent oversight in industries where segregation of duties issues are under scrutiny. This type of model, I believe, is essential to drive large-scale programs, where cybersecurity maturity is low and urgent transformation is required in an organization’s cybersecurity practices.
Find the right candidate to be your CSO
The combination of the CSO’s top-down and cross-functional influence with the CISO’s technical reach should be key to creating and sustaining the momentum needed to drive change and break through business resistance where it is needed. occurs.
In my experience, companies looking to implement these types of CSO roles should look internally for the right executive: at the end of the day, it’s all about trust and your candidate should have a deep understanding of how to navigate the internal workings of the organization. I would recommend looking for someone who is an ambitious leader, not someone at the end of their career. Additionally, consider assigning this role to a seasoned executive. Someone who you think is generally motivated by protecting the business from active threats, is able to take an elevated long-term view where appropriate, on top of any company’s short-term fluctuations. Demonstrating leadership in such a complex field should be seen as an opportunity to demonstrate skills that can be applied elsewhere in the organization.
And finally, make sure you don’t appoint another technologist to the role: the profile of the CSO should be a company profile, so that cybersecurity can finally be embedded in a broader business concept.
gotechbusiness.com Business Council is the leading growth and networking organization for entrepreneurs and leaders. Am I eligible?
