1 A CISO’s Role in Security Leadership
In this day and age, the security of internet-connected devices and applications has increasingly become critical to the success of firms operating in the internet space. While the internet has provided numerous opportunities for businesses to conduct business, expand their operations, and reach their customers more easily, it has also introduced cybersecurity risks to both the businesses and the customers that interact with these businesses via digital platforms.
Cybercrime has been on the rise in recent years, and data breaches continue to wreak havoc among many companies globally. It has become essential for all businesses that deal with financial and other important data from customers to implement security measures in their organizations to ensure their organizations remain secure. Organizations now have departments that exclusively tackle security issues that affect an organization resulting from interactions with the digital world.
One of the key positions in modern organizations is the chief information and security officer (CISO), who is generally tasked with security-related duties.
In this chapter, you will learn who and what a CISO is, the requirements of the CISO role, the differences between other technology leadership roles, and what is required in the role for you to be successful. The chapter will also cover how to develop the core components needed to be a good CISO for your organization.
You can expect the following topics to be covered in this chapter:
- Defining a CISO and their responsibilities
- Understanding similarities and differences between a CISO and a chief security officer (CSO)
- Distinguishing between a chief information officer (CIO), a chief technology officer (CTO), and a CISO
- Designing a security leadership role
- Expanding the role of a CISO
- The changing role of a CISO
- How to become a CISO
- Learning about CISO certification
Defining a CISO and their responsibilities
In this section, we provide a definitive description of the term CISO, the role of a CISO in a firm, and the importance of this position in any modern organization. The section attempts to provide readers with an introduction to the world of digital platforms, the role they play in organizations, and the integral role that CISO executives play in making all this happen.
Definition of a CISO
A CISO has an executive-level position within an organization and is tasked with establishing and maintaining various mechanisms and structures that safeguard the informational and technological assets of the organization. CISOs are technologists who can participate in high-level initiatives as business strategists. CISOs ensure that information technology (IT) systems comply with security and regulatory requirements. In summary, a CISO is the top cyber executive of an organization.
The following screenshot shows a man interacting with a digital device that bears the name CISO and depicts a lock. It confers a message of the core role of CISO executives, keeping digital platforms safe from external threats:
In the next section, you will discover the responsibilities of a CISO.
Responsibilities of a CISO
The main responsibilities that a CISO performs in an organization include the following:
- Determining and establishing the right governance and security practices for the organization
- Creating and enabling a framework that ensures risk-free scalability of business operations
- Helping executives at a C-suite level understand cyber risks
These three items are the overarching responsibilities that define the main responsibilities of a CISO in any organization. On the other hand, some of the more minor responsibilities include the following:
- Evaluating the IT landscape and determining all the necessary factors that affect the security of the organization concerning digital platforms.
- Devising policies that impact the digital landscape affecting the organization’s operations.
- Quantifying security risks and determining the level of risk they pose to the organization and taking necessary steps to curb the threat.
- Communicating effectively with the rest of the team regarding any updates and changes to a system as well as during the aftermath of a security breach, to ensure a united front when facing challenges posed by security breaches.
- Recruiting a capable team that is responsible for mitigating threats. As a CISO, it is important to have an informed team that can identify threats and take the necessary action against such threats.
- Keeping updated on the IT landscape to remain informed of evolving threats and the resources to help in mitigation against these threats. Adversaries stand little to no chance against a CISO who invests in studying new threats and is proactive against evolving threats.
- Auditing security measures that have been put in place to safeguard the organization and ensuring that these measures are not only up to date but also capable of protecting the company from security risks and threats.
The next section will clarify what a CISO executive does in an organization.
What exactly is a CISO?
Before we dive deep into the nuances of cyber chiefs’ career paths, it is important to understand the nature of the role. Six critical responsibilities underpin a CISO’s success, and we’ll look at these in the following sections.
Trusted security advisor
As a CISO, you need to translate technical matters into the language of the business. In other words, you will be helping non-technological executives and boards understand technical matters and help them make risk-informed decisions confidently.
As a CISO, you need to get involved in setting goals, determining actions to achieve the goals, and mobilizing resources to execute prioritized actions that need to be tightly linked to the business strategy.
As a CISO, you need to have leadership skills not just to build an inspired and bonded diverse team, but also set an example as a role model to create a culture of constant learning, innovation, and active collaboration.
Modern marketing is the ability to harness the full capabilities of a business to provide the best experience for the customer and thereby drive growth. As a CISO, you need to evangelize cybersecurity capabilities to regulators, client prospects, insurers, and business partners—helping win new business, lower cost of capital, and maintain a license to operate.
CISOs should be able to create a cyberculture whereby everyone in the organization understands cyber risks and helps to mitigate them.
CISOs should be able to influence critical stakeholders to support the cybersecurity transformation.
This section has shown what a CISO does in an organization and the various core roles they play within an organization. However, there are other similar roles in an organization, and the next section seeks to clarify the distinct role of a CISO in relation to roles played by other officers in an organization.
Understanding similarities and differences between a CISO and a CSO
In some organizations, the roles of a CISO and a CSO may be synonymous. If an organization has a position for both individuals, it is most likely that they will have redundancy of roles. Both executive positions in an organization have similar roles, with subtle differences between the two. Both executives are responsible for securing information and assets such as information in an organization. A CSO is normally tasked with the security of people, processes, and products, while a CISO is tasked with specific security issues that ensure that people, processes, and products are protected. In many organizations, however, these two roles are used interchangeably, or one individual may perform both functions.
However, it is important to note that having two individuals playing these two roles in an organization can lead to conflicting scenarios due to the overlapping roles of the two executives and the ever-evolving nature of the challenges that could be classified under both roles. A CISO is tasked with supervising a company’s cybersecurity by designing and implementing an organization’s security program to deter and curb any security threats that may face the organization. A CSO also plays a similar role in an organization and ensures that the organization is safe from cyber threats and that all organizational assets, processes, and people are safe from both internal and external threats.
With the digital landscape continuously evolving, both a CSO and a CISO are required to keep up to date with current technological advances and changes. This requirement ensures that they keep abreast of any current changes in the digital sphere and evolving threats as well. Without continuous updates, adversaries will have an upper hand, and these two executives will have failed in their roles. Therefore, both executives are similar in their need to continually update their knowledge base to carry out their roles effectively.
This section has differentiated the CISO role from that of a CSO. Next, we will look at what differentiates the role of a CISO from those played by CIO and CTO executives in an organization.
Distinguishing between a CIO, a CTO, and a CISO
In many organizations, CIOs are the foremost leaders of IT departments, answerable directly to the chief executive officer (CEO) or the board of directors. They oversee strategic IT investments, manage IT operations, and lead digital transformations within an organization. If an organization is planning on making huge infrastructural changes that will affect the digital space, the CIO will be tasked with overseeing such projects, ensuring that all organizational information goals are met through the project and that the project meets the long-term mission and vision statements of the organization.
A CTO is an individual in an organization tasked with the integration of new technologies. The role typically requires long-term planning and is concerned with technological infrastructural changes that organizations perform when taking on board new technology or when upgrading to new technology that will see major changes in information flow within the company. A CTO typically reports to the CIO.
Both a CTO and a CIO play roles that are similar to the role of a CISO. Some of their roles may overlap with those of a CISO. The CIO role, in particular, presents the highest similarity level. Having both CIO and CISO executive positions in an organization may prove problematic due to many overlapping roles. A CTO, however, typically works under both individuals and works hand in hand with these two executives in an organization. A CIO mainly deals with the management side of an organization and will usually focus on the internal operations of the organization and how technological changes affect the informational needs of the organization. They are also tasked with coming up with ideal operational changes that can maximize the information available and leverage the information potential of available resources to the benefit of the company.
Now that we have differentiated the roles played by a CTO and a CIO and how they are similar in some respects to those of a CISO, we are going to see what defines the various security aspects in an organization and how the CISO role fits into the security leadership dimension.
Designing a security leadership role
Business organizations are increasingly suffering from digital threats in the form of cyber-attacks that have become a top concern for businesses globally. Some of these cyber-attacks have led to the destruction of business entities. To make matters worse, the ever-changing IT landscape has led to increased threats for businesses. This has increased a need for businesses to invest in the security of informational and technological resources within their business enterprises, hence the establishment of the role of a CISO. Organizations must have a department within their organization that deals in security and safeguarding an organization’s assets. A failure to adequately protect an organization from both internal and external threats will put the business at risk, resulting in successful data breaches, reduced trust in the company from stakeholders and customers, and threats to the continuity of the business.
To design a security leadership role in a company, all factors affecting a business need to be put into consideration. Both internal and external factors will be used in designing the role of a security leader in a business setup. Internal factors include such things as the available resources of a company, the digital space in which a business operates, and the informational needs and plans of an organization. These various factors will help determine the kind of plans an organization needs to put in place to define the position of the security leader—in this case, the CISO. The external landscape that affects business operations is also crucial to the designing of a CISO role. The business operations and the digital environment it requires to operate will determine the kind of threats facing a company and the kind of responses a business will initiate to handle security risks and threats to their business operations.
After understanding the security leadership requirements in an organization and how a CISO fits into this description, we will next define how the CISO role has been evolving.
Expanding the role of a CISO
The role of a CISO has been expanding with the changing needs of many business operations. Technology has fast been changing, leading to businesses having to adapt to their new environment. Many businesses are adopting the internet space and are utilizing this to expand their businesses. Within the internet space, businesses are interacting with other businesses and conducting many transactions on the internet platform. Customers interacting in the digital space provide businesses with personal data, as well as financial information that can be targeted by attackers. A CISO has become a necessity, with more businesses going online not only to promote and advertise their business but also as a means to complete their business. The online space has become an important channel for business transactions, with thousands of online e-commerce sites sprouting up by the day.
The CISO role has traditionally only dealt with keeping information and systems secure from both outside and inside threats. However, more responsibilities are being added to the portfolio of CISO executives, and the expanding role sees CISOs taking an integral role in the long-term planning and strategic planning of an organization. The very things that introduce information and security risks into a business are the things that are required for the strategic growth of the business—for instance, a business may need to perform an overhaul of its business operations to digitalize and automate many aspects of the business. Such an operation would intend to automate the system to make it more effective and introduce competitive advantage and efficiency into business operations.
However, since a strategic plan introduces new information and security risks, a CISO needs to be included in such plans. Therefore, the expanded role of a CISO requires the executive to be integrally involved in the long-term strategic planning of a business enterprise.
You now have a good idea of how the role of a CISO has been expanding and continues to expand. Next, we’ll go over the evolving nature of the CISO role.
The changing role of a CISO
The role of a CISO is not what it was 5 or 10 years ago. According to those who find themselves in the role today, that’s not necessarily a bad thing.
In the past, it used to be that CSOs were over-glorified IT security administrators, babysitting the firewalls, arguing with software vendors over botched antivirus signature updates, and cleaning spyware off of infected laptops and desktop PCs. True— that’s still the role some CSOs find themselves in, but for the majority, the responsibility has shifted to looking at the big picture and designing a program that balances acceptable risks against unacceptable ones.
In an ideal world, today’s CISO hires someone else to handle all those technical security tasks. Of course, a question remains as to whether you can inspire them to do what you once had to do or if you’ll turn them off with an attitude of superiority.
The role of the CISO is ever-evolving due to the ever-changing IT landscape. Every day, new threats arise that a business needs to be wary of. Cybercriminals are always finding new ways to attack the new system, using such means as new viruses and intrusion systems. The changing environment means that a CISO cannot have a fixed role; the role of a CISO will keep changing as the information needs of a company change and the operations of a business change to reflect new informational needs. Also, when a business invests in new technological infrastructure, business operations will change to accommodate the new technology, along with the new security challenges that come with these changes to business operations. A CISO role will therefore change with the evolving needs of an organization.
A business is always in competition with other businesses in its respective industry. One of the ways a business beats the competition is through the introduction of new business applications and technology that processes data and business transactions more efficiently. The introduction of new technology into business operations is a common means of achieving an edge over the competition. However, the introduction of new technology and implementation of the same into a business introduces new processes that come with unique challenges.
A CISO role is, therefore, flexible and needs to adapt to the changing environment to remain effective. In a multi-department business, security risks may arise from operations affecting particular departments. Because of this, a CISO executive needs to have unparalleled access to all departments within a business to be most effective.
How to become a CISO
There is no direct path to the CISO role. While this is true, it’s really important to hire the right talent. Being a CISO used to be a hardcore cybersecurity role; however, the function of a CISO involves much more business leadership and risk management.
Today, a CISO must be able to help executives at a C-suite level to understand risk. CISOs in any enterprise organization must have skills to be able to explain security for non-techies, build and maintain critical relationships, and communicate at both senior and operational levels. Soft skills are critical to evangelizing security initiatives and celebrating wins, which need to be expressed as business outcomes.
CISOs who can develop those skills can sell security to their peers and other business-line executives. So, who can become a CISO? Let’s find out who the contenders are here:
- Experienced techies, such as cybersecurity architects, network security engineers, or IT security managers
- An experienced technology risk manager
- A CIO or technology leader with extensive experience building high-performing teams, driving digital transformation, and sitting on executive committees
Becoming a CISO requires both theoretical and practical knowledge in information security. Practical experience in information security qualifies one insecurity—presently, there are no formal requirements to becoming a CISO executive in organizations globally. However, with the intricate nature of the field and the ever-evolving demands of the role, more expertise may be required for effective CISO experts going forward. The many key responsibilities of a CISO expert may not require someone who has practical experience in information security. However, they may require at least theoretical knowledge in the field of information security to effectively carry out the mandate required of CISO experts.
It is a common misconception that a CISO, given the role they need to execute, must come from a technical background to be an effective executive. However, this need not be the case. A CISO expert often works with other experts as part of a team. The team can have people with practical knowledge in various fields, from data management to data security, as well as networking knowledge. In some cases, all that is required is a good manager to manage the team well to ensure that they perform effective work under the right motivation and direction.
However, with the introduction of certified CISO programs, it is now possible for an individual to have qualifications and certification to prove they can handle the various aspects of the role of a CISO. The program will test a candidate on various skills that are critical to the core roles of a CISO expert in any organization. To become a CISO expert, you thus need to learn the theoretical background regarding the management of data and how information requirements are central to an organization’s business operations.
A CISO expert needs to at least understand the IT landscape to enable them to make informed decisions regards the impact of the changing landscape on the organization. It is critical for individuals pursuing a career in information security to continually update their knowledge base regarding the information security industry. Other fields of knowledge include learning about the tools necessary to carry out some of the tests and security implementations for a business entity. A CISO expert needs to understand the tools available and the kind of threats that can face their entity, as well as the best ways to avert those threats.
In the next section, we will look at some areas of focus of a CISO.
Some of the daily tasks of CISOs are outlined in the following list. Please keep in mind that we will cover a CISO’s day, end-to-end, in Chapter 2, End-to-End Security Operations:
- Security operations: Real-time analysis of immediate threats, and triage when something goes wrong
- Cyber risk and cyber intelligence: Keeping abreast of developing security threats, and helping the board understand potential security problems that might arise from acquisitions or other big business moves
- Data loss and fraud prevention: Making sure internal staff don’t misuse or steal data
- Security architecture: Planning, buying, and rolling out security hardware and software, and making sure IT and network infrastructure are designed with best security practices in mind
- Identity and access management (IAM): Ensuring that only authorized people have access to restricted data and systems
- Program management: Keeping ahead of security needs by implementing programs or projects that mitigate risks—regular system patches, for instance
- Investigations and forensics: Determining what went wrong in a breach, dealing with those responsible if they’re internal, and planning to avoid repeats of the same crisis
- Governance: Making sure all of the preceding initiatives run smoothly and get the funding they need—and that corporate leadership understands their importance
Let’s now have a look at a comparative viewpoint—who should not become a CISO—in the next section.
Who should not become a CISO?
As a trusted security advisor in the past, I met many CISOs who had no clue about cybersecurity, and unfortunately, those CISOs needed the most help. CISOs should not be just hired based on experience in the company or for just being a program delivery manager. CISOs are much more than just a delivery manager, politician, or someone who is networked well to get the hot seat, which pays well.
Mark my words— organizations that follow this path will have ex-CEOs who blame interns for using weak passwords. (Read the news article here: https://edition.cnn.com/2021/02/26/politics/solarwinds123-password-intern/index.html.)
I met many CISOs depending on our advisory, or they were great leaders but had no clue of what was exactly happening in the cyber landscape. In summary, anyone who is not cyber littered should not think of being a CISO unless they are happy to learn.
In the last section of this introductory chapter, we are going to explore how to become qualified as a CISO.
Learning about CISO certification
To effectively play the role of a CISO executive, you need to be qualified in the information and security aspects of technology alongside other critical skills that are integral to the role of a CISO in an organization.
Not too many organizations focus on CISO training, but we will discuss some of them in the next sections.
EC-Council CISO program
The International Council of Electronic Commerce Consultants (EC-Council) CISO program is one of the globally leading bodies that offer certification to CISO experts to qualify them to carry out various roles that are integral to a CISO executive. The body provides a qualified individual with a Certified CISO (CCISO) certificate. The body focuses on practical experience and recognizes the experience of people in the world of information security in awarding the certification. The body was created by high-level executives that formed a foundation on which the program was built to offer some form of training and recognition to people who were qualified in the field of information security. The body identified an increasing need to recognize the increasingly important role of CISO experts in the modern digital world.
The CCISO program is one of the first such programs in the world and offers both training and certification opportunities to already practically qualified people globally. The founders of the program were both aspiring CISO and other renowned sitting CISOs in various capacities in world-leading technology firms. Before certification, candidates must sit an exam that will test their knowledge in the information security realm. The aim of the exam is not just to test the candidate’s practical skills in data management and security, but also to test their theoretical knowledge in principles that guide information security principles. Both the theoretical aspects and practical aspects of the exam are important to the qualification of CISO experts. Theoretical knowledge in matters of information security requires theoretical underpinning for a better and holistic outcome.
Besides EC Council, the SysAdmin, Audit, Network, and Security Institute (SANS Institute) has some cybersecurity management courses, such as Leading Cybersecurity Change: Building a Security-Based Culture, Security Leadership Essentials for Managers, and more.
Based on a study by Digital Guardian, 53 of the Fortune 100 CISOs held Certified Information Systems Security Professional (CISSP) certification from the International Information System Security Certification Consortium (ISC²), and 22 held Certified Information Security Manager (CISM) certification from ISC². The top five certifications held by Fortune 100 CISOs include CISSP, CISM, Information Technology Infrastructure Library (ITIL), Certified Information Systems Auditor (CISA) from Information Systems Audit and Control Association (ISACA), and Certified in Risk and Information Systems Control (CRISC) certifications.
While certifications are good to show what you know, keep in mind that they don’t necessarily make you a stronger professional. Certifications won’t turn a CISO candidate from analyst to C-suite dweller overnight, but what they can do is offer expertise across the many areas CISOs must have basic knowledge of, if not in-depth expertise.
In this chapter, we have learned that a CISO is the guardian of an organization, building a cyber strategy, acting as an advisor to the board, and still being a technical executive. A CISO is also known as a CSO and vice president (VP) of security.
The demand for business-centered technical CISOs will continue to grow, as having the right CISO will provide assurance to companies, their strategic business partners, regulators, and customers that their cybersecurity capabilities are robust and fit for purpose. Being a CISO can be rewarding; as data breaches soar, so will a CISO’s paychecks.
In the next chapter, we will cover a CISO’s operations, end to end.
Here are some resources that can be used to gain more knowledge on this subject:
- All about CISOs https://www.erdalozkaya.com/tag/global-ciso/
- Understanding CISO Roles and Responsibilities https://www.deepwatch.com/blog/understanding-ciso-roles-responsibilities/
- Global CISO Forum https://www.globalcisoforum.com/
- EC-Council CCISO Certification https://ciso.eccouncil.org/cciso-certification/
- The changing role of the CISO https://www.securitymagazine.com/articles/91653-the-changing-role-of-the-ciso
- CIO Vs. CSO Vs. CSIO – How Are These Roles Evolving? https://www.digital-adoption.com/cio-vs-cso/
- How to become a CISO https://portswigger.net/daily-swig/how-to-become-a-ciso-your-guide-to-climbing-to-the-top-of-the-enterprise-security-ladder
- Hacker Combat CISO posts https://hackercombat.com/?s=CISO
- SANS security leadership courses https://www.sans.org/cyber-security-courses/?&focus-area=security-management-legal-audit&training-format=
- ISACA training https://www.isaca.org/training-and-events