The role of the Chief Information Security Officer (CISO) has evolved in many ways over the past decade. For instance, as the threat landscape has continued to change and become more complex, CISOs have needed to improve how they communicate the nature of these threats and the response plan that's in place to address such risks to the C-suite and the board of directors.
Plus, as cyber threats have become more widespread and as the cyber security talent shortage has become more acute, CISOs have had to become much more creative in their approaches to identify, recruit, develop, and retain cyber professionals.
But perhaps the most significant change to the CISO role is that it has become considerably more business-focused in recent years. While CISOs still need to be technically competent, they also must be able to communicate the company's security posture, its response to information security threats, along with its risks, mitigation, and controls in business terms that the C-suite and board of directors can understand.
Not only are members of the C-suite and the board looking for cyber security to be couched in business terms, they sometimes need to be steered away from their view of cyber concerns as a technical issue.
According to a 2016 survey
of Deloitte's CISO Labs participants, 79% of information security leaders indicated that they were "spending time with business leaders who think cyber risk is a technical problem or a compliance exercise."
Communicating as a business leader
"I'm being asked to be more of a business leader, to respond to executive management and board interests in the topic, and to communicate differently with the board than we had to a few years ago," said Michael Wilson
, SVP, CISO McKesson IT, McKesson Corporation. Wilson was one of the prominent CISOs speaking at the 2017 San Francisco CISO Executive Leadership Summit
on March 17 at Fairmont San Francisco.
One of the ways that Wilson is communicating the company's security posture is by arming members of the board with dashboard tools that enable them to track how effectively McKesson is tracking with cyber security governance, protection, response, and recovery efforts.
"I use these tools as well. It tells a story about our organization's maturity," said Wilson.
Meanwhile, cyber readiness updates with the board and with McKesson's audit committee have also become more frequent in recent years. "The cadence is up, and the concern is there. Most boards are struggling to have IT representation and now we have the security piece which brings it to another level," Wilson added.
Not only are Wilson's discussions with the board and C-suite business-focused, they're also concise, said Wilson. "The communication with the board is short - you don't have a lot of time. They're looking for metrics to be consistent as they've seen in other places. What is the threat posture, what are we doing well, what are the gaps, and what is the plan to address those gaps? These are the things they want to know," said Wilson.
Even as McKesson is moving forward with digitizing its various businesses and embedding security into its digitized operations, Wilson is finding that his role and communications has become increasingly business-focused and less technically-oriented.
"I'm being asked to be more of a business leader and to respond to interest on cyber security topics and to communicate differently than I had to a few years ago," said Wilson. "It's become less of a technical role and more about balancing our cyber security needs with our business strategy."
Interested in learning more about the evolving role between CISOs with the C-suite and the board of directors? Register for one of HMG Strategy's CISO Summits