The security industry has changed dramatically over the last few years, with CIO / CISO turnover at an all-time high. In fact, according to a Ponemon study, the average tenure of a CISO is now just over 2 years. Why? Security breaches are making news headlines on a daily basis. Subsequently, it has become a key issue for everyone, from private companies to government organizations. Yet, the CISO role appears to be a revolving door in many enterprises.
I recently sat down with Chris McClean, VP and Research Director for Forrester Research, to get a better understanding of how the requirements for CISOs have changed, how top CISOs align security in complex environments, and what savvy CISOs can do to be successful:
What is the biggest change in business priority that CISOs are currently facing?
Adoption of new technologies and increasing threats are well documented, but many security leaders are missing how a major shift in technology spending is introducing risk behind their backs. In the past three years, more than half of the budget for new technology supports projects aimed at winning, serving, and retaining customers. These projects are driven by business leaders; thus, CISOs focused on securing and protecting back-end systems are missing substantial risk in customer-facing communication and engagement channels.
This goes well beyond “shadow IT”; this is sanctioned technology spending that may never pass under the watchful eyes of CIOs and CISOs. In fact, roughly half of manufacturing, research and development, and sales and marketing leaders say technology spending makes up over 20% of their department’s budget. Without close connections to those departments, a CISO can’t assess how new projects might expose the company to threats against its customer data, intellectual property, or — more importantly — brand.
What specific new expectations do business colleagues have of their CISOs?
The external-facing efforts described above are creating new expectations for CISOs to play a more customer-facing role. Whether in a business-to-business (B2B) or business-to-consumer (B2C) capacity, CISOs have to do a better job understanding how security and privacy concerns might have an impact on customer engagements. For example, if you had better control documentation, would you be able to respond faster to B2B prospect requests and improve sales? Or in a B2C environment, could you help your marketing team gather more data for customer analytics by more clearly articulating your privacy and security policies?
The complicated business ecosystem is also increasing expectations for CISOs. Because so much of the business runs on data and technology, CISOs need relationships with nearly every function in the enterprise, not just within IT. Those relationships also need to extend to third parties, who often collect, process, and store sensitive company information outside of CISO control.
As fast as business is moving, executives aren’t looking for a strict master of policy enforcement to run security. Instead of an authority figure, they need a resource; they need an expert in business risk, regulations, emerging technologies, and solutions who can help the business move quickly ahead of competition. CISOs who want to be part of strategy and project planning are expected to bring solutions to the table before they’re asked.
Finally, it’s not enough for security leaders to align to current IT and business strategy. While this is a good start, it still leaves the security function in reactive mode: waiting for the business to call the shots and responding as quickly and effectively as possible without getting too much in the way.
How are the most successful CISOs responding to these challenges and expectations?
First, they are spending more time explaining why security and risk management are important. This is getting easier as security incidents regularly dominate headlines, but it’s still up to the CISO to describe plausible scenarios that could cost the company in legal, operational, financial, and reputational terms. The best CISOs can also explain how their efforts directly support corporate values and objectives; without security, companies cannot grow and maintain a strong user base, cannot adopt emerging technologies safely, and cannot compete in business environments increasingly dependent on data.
Second, the best CISOs are applying their technical knowledge to understand the business ecosystem rather than specific security technologies. For example, connected devices, new communication technologies, big data initiatives, and technology partners will affect the security posture of nearly every company in the next few years. Successful security leaders have to anticipate how their companies will adopt these technologies so they can start training staff and exploring solutions well before solutions are needed.
Finally, CISOs are fostering extended teams of champions who understand the importance of security and are willing to make it their responsibility. For many security teams, this means creating a network of liaisons throughout marketing, sales, customer service, product development, and other functions to keep abreast of new initiatives with security implications as well as to communicate any new security policies or guidance. Knowing that they can’t anticipate every possible scenario, it also means training people to understand their role in protecting sensitive data and assets beyond just memorizing policy and process.
If you’d like to learn more, you can listen to our full conversation on this webinar: Tactics of Successful CISOs, featuring Forrester Research.