Chief information security officers will have evolve into corporate information risk managers if they are to survive in the future, says Andrew Rose, principal analyst at Forrester Research.
“CISOs can’t afford to remain where they are; they need to decide whether they want to move up or down,” he told Forrester’s forum for risk and security professionals in London.
Moving down would be to take on a supporting role of technical expert, security analyst, legal adviser, compliance advisor or the like, said Rose.
Moving up to become a corporate information risk manager will, however, require facing up to many current failures, he said.
These include a lack of IT security alignment and engagement with the business and a lack of strategic innovation.
“CISOs wanting to move up will also have to fall out of love with the thrill of firefighting and other tactical aspects of security operations,” said Rose.
These elements will not be what the future top information security job will be about and should be delegated to fulfilling a supporting role, he said.
Read more about the role of CISO
- Business skills key to CISO’s survival
- Embedding security: Simply does it, says Channel 4 CISO
- Communication key to risk management in security, says CISO
- CISOs: From no seat to multiple hats
- Mining for infosec talent: How CISOs can fill security positions
- Security Zone: Do you need a CISO?
- Goals for how to become a CISO if you're a security technologist
CISOs who want to move up will have to invest in self-development aimed at acquiring skills in leadership, strategic thinking, business knowledge, risk management and communication.
A Forrester survey of 60 CISOs indicates that these are the skill they must acquire in future, ahead of security and technical knowledge.
Respondents said preparation of technology and processes to protect data is top priority now, but by 2018 they expect that to swop places with business engagement, currently bottom of their priority list.
This change is already being reflected in job adverts that list security leadership and business skills as top requirements, while security skills are preferred but not essential.
“Orchestration will be key in future, with CISOs needing to be able to manage service providers, co-ordinate the support team and make decisions,” said Rose.
He believes CISOs will no longer be the single point of expertise, but will need external support as compliance, privacy, data management and even physical security are grouped together.
“Any CISO who chooses to pursue the top position should start building their business skills now, broadening their focus beyond IT security and building a support team,” said Rose.
They should think about their future, he said, and most importantly, start finding ways of contributing to and growing the business.