CISOs must shape up or ship out, says Forrester

Chief information security officers (CISOs) must evolve into data risk managers if they are to survive in the future, says Forrester Research

Chief information security officers will have evolve into corporate information risk managers if they are to survive in the future, says Andrew Rose, principal analyst at Forrester Research.

“CISOs can’t afford to remain where they are; they need to decide whether they want to move up or down,” he told Forrester’s forum for risk and security professionals in London.

Moving down would be to take on a supporting role of technical expert, security analyst, legal adviser, compliance advisor or the like, said Rose.

Moving up to become a corporate information risk manager will, however, require facing up to many current failures, he said.

These include a lack of IT security alignment and engagement with the business and a lack of strategic innovation.

“CISOs wanting to move up will also have to fall out of love with the thrill of firefighting and other tactical aspects of security operations,” said Rose.

These elements will not be what the future top information security job will be about and should be delegated to fulfilling a supporting role, he said.

CISOs who want to move up will have to invest in self-development aimed at acquiring skills in leadership, strategic thinking, business knowledge, risk management and communication.

A Forrester survey of 60 CISOs indicates that these are the skill they must acquire in future, ahead of security and technical knowledge.

Respondents said preparation of technology and processes to protect data is top priority now, but by 2018 they expect that to swop places with business engagement, currently bottom of their priority list.

This change is already being reflected in job adverts that list security leadership and business skills as top requirements, while security skills are preferred but not essential.  

“Orchestration will be key in future, with CISOs needing to be able to manage service providers, co-ordinate the support team and make decisions,” said Rose.

He believes CISOs will no longer be the single point of expertise, but will need external support as compliance, privacy, data management and even physical security are grouped together.

“Any CISO who chooses to pursue the top position should start building their business skills now, broadening their focus beyond IT security and building a support team,” said Rose.

They should think about their future, he said, and most importantly, start finding ways of contributing to and growing the business.

Read more on IT risk management