We’re very much of the opinion that 2019 has the potential to be the year of the CISO. More specifically, 2019 is the year the CISO will need to listen. Listen to their peers, to HR, Sales, Marketing, Finance and to the rest of the board and gather as much information about their motivations and what makes them tick as possible.
It’s been said before but it’s worth repeating. The CISO role will undoubtedly transition into more of a business focused role where the primary responsibility will be to benefit the business. They will be in charge of enabling a cyber awareness culture within the organization, meeting compliance and also, in many cases, ensuring that the organization promotes itself a security-conscious brand. With security becoming a primary concern for consumers over the last few years, organizations can actually turn security into an enabler of business; and it all starts with the CISO.
Whether the name changes over the coming years, the role of the CISO is set to either success or fail depending on how well that individual aligns his/herself to business success. With that being said, let’s take a look at three ways the role of the CISO is likely to change over the coming years.
1. You Will Only Care About Two Things
Data and people. These are probably the two most important assets in most organizations. As data security becomes more of a focus over the next few years, the priority for the CISO will be how to create a security strategy from the inside out, with data and people at the center.
Data is one of your most valuable assets simply because of its value on the black market and the damage it could do if it was stolen or lost. It’s also valuable because of what it is. If you’re a healthcare organization and your bad security practices cause the loss of patient health information, you could be partly responsible for delayed medical procedures or worse.
People are one of your most valuable assets because they are usually the source of data breaches. Whether it’s because they were specifically targeted by attackers or they were careless, your employees from all over the business are under the supervision of the CISO.
CISOs will no longer be seen as IT guys. They will be seen solely as security enforcers with a reach that extends across departments. CISOs will not get involved in the day to day running of the infrastructure or the more basic cybersecurity tasks. They will instead be hyper focused on ensuring that the reputation and bottom line of the business isn’t damaged by the data or people.
2. You Will Become the Best Presenter in the Organization
One of the biggest challenges CISOs often have is how to communicate with the board and with non-technical departments when it comes to cybersecurity. How can you drive change and improve the security posture of your organization if you can’t break through this communication barrier?
Over the next few years, CISOs will become talented orators, capable of changing the way they speak and what they say to appeal to the audience they are in front of at that moment. They will be able to talk in relation to what people want most. The CEO, for example, will want to hear about how the cybersecurity strategy will help to improve the bottom line of the business, whereas the Junior Sales Executive will want to hear about how he or she can use the security posture of the organization as a selling device.
3. You Will Be Able to Look into the Future
CISOs will become experts at taking a step back and looking at the organization as a whole. They will be able to determine how the market is going to evolve and what risks that may present to the security of the organization.
CISOs will get involved in every single decision the organization decides to take. If the marketing department wants to install a new bit of software on the website, the CISO will have to ensure that the risks of that software to the security of the data and people are analyzed and acceptable.
The members of the IT team will not have this scope and in many cases, organizations end up creating risk because they can’t bridge the inter-departmental communication gap. The CISO won’t have this problem if they are doing their job correctly.