BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

How CISOs View Their Jobs

Forbes Technology Council
POST WRITTEN BY
Gary Hayslip

Getty

I have previously written about the role of the modern Chief Information Security Officer (CISO) and how CISOs align their security programs with the business operations of their companies. That article discussed the changing roles CISOs are now assuming as organizations mature and employ security leaders in positions that support strategic business goals.

In retrospect, I wrote that article more about the job and less about how CISOs view the job and the challenges they face. So keeping this in mind, I want to look at how CISOs view the challenges of their jobs. This article will focus on six domains that impact CISOs personally and professionally in their dynamic roles. These domains are barriers to success, obligations, authority, technology, risk management and, finally, the pros and cons of today's reporting structure.

1. Barriers To Success 

CISOs are change agents; they can be viewed as barriers by the business due to their lack of business skills or how they interact with entrenched business cultures. This domain is one of the harshest for CISOs and their ability to be effective and manage risk. It is where the CISO may have organizational barriers such as budget, staffing levels and reporting relationships. Many of these barriers will negate the value of a security program and impact a CISO's ability to grow cybersecurity as a core component of their businesses culture.

2. Obligations 

As the senior security executive for an organization, a CISO has specific duties that come with their role. Of course, as many CISOs know, these duties are constantly changing as businesses find new challenges or opportunities they want their CISOs to manage. Some of these duties are to determine and implement best practices to protect critical organizational systems. Other duties might include building a security program to continuously scan, monitor and remediate risk or working with outside departments (such as a legal team) to assist with contracts or collaborate on compliance issues.

3. Authority 

The position of CISO also comes with authority that covers a wide swath of technology, policy and procedures. CISOs are given the authority to build and manage a security stack, aligning its technologies with core policies that support the business. CISOs are also given the authority to train their staff and employees to view cybersecurity as a fundamental business practice. They have the authority to select vendors who meet their requirements, build an incident response program and support business continuity. Coupled with this authority is accountability. A CISO's actions will impact their business, whether for good or ill, and they should expect to be held accountable.

4. Technology 

A CISO will need to implement a blend of technology to help manage risk. They can approach this domain using a business view of understanding critical operations and the data/technology an organization requires to be successful. A CISO in this domain can also use a network-centric view of understanding how their company's data flows -- how sites, teams, vendors and partners are connected to corporate infrastructure, and the risk these connections impose on the business. In this domain, CISOs must also be innovative and accept the adoption of new technologies such as the cloud in all its variants and new software development processes their companies will use to enhance revenue. This domain and its views are fast-paced and challenging, so CISOs need to be comfortable with continuously looking for the risks that innovation may impose on their organizations.

5. Enterprise Risk 

As mentioned previously, enterprise risk is intertwined in everything a CISO manages within their job. Risk in this domain can be viewed through the services CISOs provide to lines of business to help them innovate and generate revenue. Risk can also be viewed through the compliance regimes CISOs must manage due to the sensitive data types they have at their organizations. In this domain, risk is also explored and transferred away from customers and partners the business supports. Finally, as a CISO, risk is mitigated and controlled as threats to the company and employees are monitored, and security controls are used to reduce negative consequences to operations.

6. Today's Reporting Structure 

In this final domain, it's all about who CISOs report to and where the security program fits in the business reporting structure. From the beginning, the CISO role came out of the IT department, so the traditional reporting structure for many is to the CIO. This structure works well for many CISOs because the IT and InfoSec teams need to work closely and support each other. However, this arrangement does have its downsides. A CIO's view and a CISO's view on risk and critical resources/services can be very different, which can negatively impact a CISO and their security program. The CISO's view on whom they report to and where their department sits within an organization is in actuality a measurement of their ability to implement change when required or manage risk within business boundaries. Reporting to senior leadership, the CEO or board of directors gives the CISO visibility and can help them make changes. However, the farther the security program is away from IT, the less visibility the CISO has into IT operations and their risks to the business. So there must be a balance that gives CISOs the visibility they need to be effective while still providing the interaction with peers such as the IT department.

These views demonstrate the uniqueness of the CISO role and provide insight into the types of security leaders businesses will need to train or recruit to fill this demanding position. As corporations continue to report security breaches, and new threats to business operations are released daily the importance of the CISO role and how it is viewed by the company is now more critical than ever for a company’s success.

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?