Where organisations do have a chief information security officer (CISO), the role is typically being marginalised in comparison with other members of the C-suite, according to Jean-Christophe Gaillard, managing director of management consultancy firm Corix Partners.
“What a CISO does varies enormously from one organisation to the next, but most are still doing a very technical job and dealing with incidents, so rarely do they have the time, inclination or profile to look at more transformational or strategic matters,” he told the KuppingerCole Cyber Security Leadership Summit in Berlin.
Another common trend, he said, is that the role of the CISO is attached to the role of the CIO and there are still many CISOs reporting to CIOs. “And it is this technical, tactical CISO role attached to the CIO that I see being marginalised by three main factors.”
First, Gaillard said, is the fact the role of the CIO is evolving as information technology evolves. “This is changing the CIO’s role fundamentally. Now the CIO very often has to share powers with chief digital officers and chief data officers, as well as a growing number of third party suppliers who are increasingly powerful.”
CIOs also have to deal with increased pressure from the business to remain competitive in the face of digital transformation, while “keeping the light on” by dealing with layers of legacy systems that have never been updated.
“The CIO has to face this transformation of their role, and the traditional role of the CISO is affected by that, and like CIOs, CISOs run the risk that if they don’t adjust to the challenges of the digital transformation, they will become merely guardians of legacy.
“The CISO also runs the risk of becoming the guardian of an empty shell because all the assets are being moved elsewhere and the guardian of a variety of uneven relationships with suppliers, with little control over the way information is protected.”
Read more about the CISO role
The second factor marginalising the role of the CISO, said Gaillard is that although cyber security is increasingly on the agenda of the board, the focus is more on resilience, which is about the ability of the organisation to respond to and recover from attacks.
“Resilience is starting to emerge as a much broader concept than security and is creating an additional layer of corporate management, of which the CISO is only one part, which has the tendency to downgrade and marginalise the role,” he said.
The EU’s General Data Protection Regulation (GDPR) and privacy concerns in general have also had a big impact on the board, with large budget allocations made to ensure organisations are compliant.
“However, I have yet to see a CISO who has capitalised on this politically to elevate their position or gain more influence across the organisation. In fact, in many cases the opposite has occurred, with data protection officers and chief privacy officers starting to breathe down the necks of CISOs and start altering the way CISOs work.”
The third main factor affecting the role of the CISO, said Gaillard, which is arguably the most important, is having to pay the price of IT investments failing to halt cyber attacks.
“For many senior executives, the role of the CISO feels like a ‘black art’ always requiring more investments, but at the same time cyber attacks keep happening, which has damaged the profile of the CISO position in the eyes of many business leaders,” he said.
The changing role of CISO
This is the reason, said Gaillard, there are more and more CISOs jumping from one job to another. “They find that they can’t do what they want because the recipe book they bring with them does not resonate anymore and business leaders no longer listen to them.”
However, although Gaillard doesn’t believe the role is outdated, he sees it as being under threat and losing ground.
“Firms looking to reverse this trend, first need to elevate the profile of the role, particularly the C-level part of the role. Inject managerial experience, real-life experience, personal gravitas and political acumen.
“My advice to organisations is to avoid hiring an ex-CISO because they run the risk of re-injecting the same problems into your organisation and perpetuating the problems you have been having.
“Rather, look internally for the right person, because knowing how your organisation works and having the right political intelligence around that is key to success – but you will have to make the role attractive.”
Decoupling managerial and technical aspects
After raising the profile of the role, Gaillard said the next thing to do is to decouple the managerial aspects from the technical aspects of the role.
“The implementation of technical security measures to protect ourselves against cyber threats is an absolutely essential thing to do and it needs to be done well, so let’s package it as a middle management position in IT and put it in the portfolio of the CIO, but let’s stop kidding ourselves that this is a C-level job.
“Then turn the managerial CISO function towards the new players in the field like the data protection officer and the chief privacy officer, and towards assisting the business units in all aspects of their digital transformation, dealing with third parties and the associated evolution of the threat landscape.”
According to Gaillard, the individual who can be credible with the IT teams around very specific and technical topics one minute and then be credible with the board in the next, and influence their thinking, either does not exist or is extremely rare.
“Let’s rather split it into two roles, and thereby make it work differently and more effectively,” he said.