As cybersecurity has become a priority for CEOs, Boards of Directors and line-of-business leaders, the role of the CISO has continued to evolve with CISOs taking on additional responsibilities. Senior leaders recognize that cybersecurity represents the greatest risk facing the business. As such, CISOs have increasingly become responsible for overseeing not just cyber-risk but enterprise-wide risk as well, according to HMG Strategy’s 2022 Research Agenda.
“There has been a greater move toward recognizing the role has a key responsibility to identify and communicate the intersection of corporate risk identification and management with appropriate strategies for risk mitigation,” says Scott Daitzman, Managing Partner and Virtual CISO at SJD Cyber, LLC in Haymarket, VA. Daitzman is an Advisory Board member for HMG Strategy’s 2022 HMG Live! Global CISO Executive Leadership Summit which is taking place today.
Much of this is being driven by CISOs’ deepening involvement with the business. “The CISO is regularly interfacing with executive leadership, the Board of Directors, engineering, software development, marketing and business leadership,” says Lisa Tuttle, CISO at SPX Corporation in Charlotte, N.C. For instance, in the manufacturing environment, CISOs are taking greater ownership and governance of operational technology such as in the manufacturing plant, Tuttle adds.
The CISO’s responsibilities continue to expand across various industries to include not only operational infrastructure but also product development security, notes Matthew Rosenquist, CISO at Eclipz.io in Los Gatos, CA. “This is being driven by risks to consumer and customer trust and potential competitive advantages,” Rosenquist adds.
There’s also greater alignment and collaboration between cybersecurity and privacy initiatives. “Recent surveys show how Cybersecurity and Privacy teams will at the very least work more closely together and, in some cases, adjust the reporting structure,” Rosenquist says. “The reason is clear — both domains are heavily reliant on each other.”
To that end, government regulations requiring increased cyber literacy among Board members is shining a brighter spotlight on communications with the CISO, notes Daitzman.
Some of the changes being seen in the CISO role are being driven by external customers and by regulators. “Customers and regulators have become more demanding and more prescriptive, forcing enhancement of security programs and leadership,” says Todd Friedman, CISO at ResMed in San Diego, CA.
Meanwhile, skyrocketing premiums for cyber insurance combined with reduced coverage are prompting CISOs to have deeper discussions with the CEO and the Board to help them make better sense of these changes.
“The underwriting process has become more like a formal audit than a purchase process,” notes Friedman.
Added Responsibilities
Some of the new responsibilities that CISOs have absorbed over the past few years include ownership of physical security strategies, fraud and enterprise risk. “Insider data theft and third-party risk assessment have become two of the major areas for increased focus,” says Daitzman.
“A recent change for many CISOs is the increased focus on formal cyber risk management that extends beyond the tactical matters,” notes Friedman. “Digital transformation has increased the importance of system availability and the need to avoid breaches to retain assurance and trust.”
In other instances, CISOs are gaining influence in areas such as product development, privacy and compliance efforts. “This is often extended into the enterprise risk domain as it includes upstream and downstream partners,” says Rosenquist.
Meanwhile, evolving CISA and SEC cyber requirements are prompting meatier discussions between CISOs and Board members. “The requirements are becoming more prescriptive and board members are becoming more cyber-informed, resulting in more substantive discussions between CISOs and the board,” notes Friedman.
One ramification of the evolving regulations for CISOs is that reporting by many CISOs to the Board will shift from annual to quarterly, with less focus on metrics and more focus on business impact and risk, says Tuttle.
And as Board members are being tasked with having greater cyber literacy under the proposed SEC requirements, this will “require changes in the depth of information presented and discussed,” adds Daitzman.
In essence, “evolving governmental requirements and the discussions taking place around them, is making the communications between CISO and the Board more plausible where it wasn’t before, recommended where it was being considered, and necessary where it already existed,” says Rosenquist.
To best communicate these emerging requirements effectively to the Board, Tuttle recommends business use cases which explain the “so what” to the Board, “sharing success stories such as ROI for security investments and proactive actions taken to mitigate attacks on other companies in the news.”
Frequent communication with the Board is also important, whether in the form of Board presentations, audit committee reporting or 1-to-1 interactions, says Friedman. “The reporting of a security event is not how a CISO wants to meet the Board for the first time,” Friedman adds.
In addition to communicating goals, expectations and metrics with the Board, Rosenquist believes that maximizing value will be a key discussion point between CISOs and Board going forward. “The industry will be talking a lot more about cybersecurity value in the coming years,” says Rosenquist. “It has been our Achilles heel. Cybersecurity must do better and more for the bottom line.”
Looking ahead, CISOs will need to continue to focus on talent management to ensure the success of their security programs, notes Tuttle. This includes the importance of being connected with team members to help retain critical talent.
“As the CISO role continues to expand exponentially, you must continue to evolve your communication skills, build relationships with business leadership, and mitigate technology risk to support business strategy,” Tuttle adds.
Key Takeaways:
In addition to overseeing cyber risk, CISOs are increasingly taking on responsibility for enterprise risk, as well as operational technology, product development security and privacy
It’s essential for CISOs and security leaders to communicate cyber threats and other forms of risk in business terms and language that Board members and other members of the senior leadership team can understand
Soaring premiums for cyber insurance combined with reduced coverage are prompting CISOs to have deeper discussions with the CEO and the Board to help them better understand these changes and the options that are available
To learn more about the evolving role of the CISO, register for the 2022 HMG Live! Global CISO Executive Leadership Summit on October 4.
