The evolving role of the modern CISO

Cybersecurity has been making front page news in recent years. Thanks to more recent, and now famous cyberattacks and incidents (SolarWinds, Equifax, Log4Shell, etc.) there are increased concerns and conversations around organizational cybersecurity. And with this increased concern, the role of chief information security officer (CISO) has become a requirement and not just a “nice to have”.

What started as a position found primarily in financial institutions can now be found at almost any type of organization, even the U.S. Government. A CISO is the most senior security executive who is accountable for the overall security posture of the organization, be it handling the idea to have the right security strategy, mindset, and culture, to making sure the organization has the right set of processes, tools, and technologies to run its security operations. The CISO is also generally accountable to the Board and shareholders for regulatory and compliance needs, overall IT Risk posture, and is integral in customer trust assurance.

In this series, we’re going to explore the evolving role and responsibilities of the modern CISO.

The growth of the CISO

In the early days of internet and application development, application security was often entirely left to the development teams. As the internet and software running on it evolved, the need for someone to own the security started arising and roles like CISO and Head of Security started becoming more common. As with most roles, a clear need has to arise before they can exist.

You can trace back the role of the CISO back to the 90s when CitiGroup appointed a CISO after it suffered a series of cyberattacks. In the early days of the role, a CISO was the owner of the information and data security responsibilities of an organization. This was a role where CISOs were technical influencers who were typically unable to influence business decisions in an organization.

This has changed, though, with the adoption of the shift left approach to security. As the wider tech industry has matured, so has user adoption of technology related services. Cybersecurity is no longer a technical or an IT issue, as its impact can be felt throughout the entire company — from operation centers to executive suites .  We now see cybersecurity risks directly translate to business risks, which has brought the CISO to center stage, making them a business influencer as much as any other executive.

While the role of a CISO will vary across organizations, every modern CISO needs to be able to apply risk management tactics to the overall business strategy and objectives and keep the thriving business secure while allowing it to remain agile and innovative. CISOs need to know about many areas of security, maintain a bird's eye view, and create a strategic picture of how threats faced by an organization affect the overall business. A modern CISO understands that security cannot be a blocker but rather an enabler, so it’s their job to implement security practices that fit seamlessly into existing business workflows.

The evolving CISO role

What we now see across the industry is an evolution of the CISO role, especially with increased consumer and commercial adoption of technology over the span of 20 years. In conjunction with industry evolution we particularly now see the CISO role expanding into things like IoT, robotics, operations technology, artificial intelligence, machine learning, and much more.

Even now, we are seeing many governments create cybersecurity awareness programs in an effort to help educate the public. Understandably so, particularly when it comes to protecting the supply chain and the distribution of food supply, utilities, and core infrastructure.

As an industry, we are now also seeing the emergence of the CISO role into completely new commercial fields like space travel. In 2021, we saw the CISO of Stripe, Jonathan Kaltwasser, join SpaceX as a Vice President with the task of championing the security efforts and taking the role of cybersecurity and CISO to… space, the final frontier.  In the same year, Snyk hired Steve Kinman as Field CISO. In this role, Kinman uses practical experience to advise and inspire security and development leaders to learn, build, and adopt modern DevSecOps programs and practices (all using Snyk).

Modern CISO responsibilities

As the role of the CISO has evolved, their list of responsibilities has grown incredibly. For example, CISOs need to be able to build models to prevent, detect, and respond to threats based on an understanding of the goals and motivations of cybercriminals. That’s a lot more complex than vetting the best endpoint protection system.

Here are some other extremely important modern CISO responsibilities:

• Cyber threat intelligence: The threat landscape is getting bigger with each passing day. According to the Ponemon Research Institute, hostile assaults were responsible for 52% of data breaches in 2020. As a result, including the appropriate threat intelligence into the cyber ecosystem is critical and organizations must be aware of and act upon emerging security threats.

• Risk management: CISOs must be able to develop strategic plans based upon overall risk and implement an information security program based on those accepted risk levels.

• Security operations: They need to be able to analyze any imminent threat or incident in real time and quickly react when something goes wrong.

• Forensics and investigations: In the event of a breach, CISOs must investigate how it occurred, deal with bad actors, and make preparations to prevent future occurrences.

• Cloud-readiness backed with AI/ML: Digital transformation has been moving more and more organizations to the cloud in recent years. CISOs must be able to augment their cloud usage with AI and machine learning. This combination provides the bandwidth and the visibility to identify fraud early and avoid any unforeseen breaches.

• DevSecOps with automation and chaos engineering: Third-party software vulnerabilities account for approx 16 percent of all breaches, prompting us to address flaws quickly and test software for third-party libraries. At the same time, system failures for any reason can be problematic for an organisation. This means that automating tasks and implementing chaos engineering can assist organizations in resolving issues more quickly.

• Identities and data privacy: Phishing emails and credential stuffing have resulted in significant losses, such as the Capital One cyber disaster, which exposed the personal information of about 100 million Americans. The most common attack vectors, according to Ponemon Institute 2020 Research, were compromised credentials (19 percent of malicious breaches).

• Compliance and governance: Recent trends also reveal that users' data is being shared without their permission, demonstrating the importance of data privacy legislation such as the California Consumer Privacy Act (CCPA), the General Data Protection Regulation (GDPR), and others. Despite the fact that these laws have been passed, data privacy remains a big concern.

• Supply chain management: The supply chain attack that trojanized SolarWinds Orionbusiness software upgrades in order to distribute malware before the end of 2020 was a huge red flag. As a result, even a tiny alteration that goes unnoticed can result in significant losses and stress.

• Risk assessment, mitigation, and avoidance: A CISO must conduct a thorough survey and inventory of information assets, intellectual property, and other valuable digital assets, determine the threats they are likely to face, and determine what steps should be taken to protect those assets from damage, loss, or harm.

• Planning, purchasing, and deploying security hardware and software, as well as ensuring that the IT and network infrastructure is built with best security practices in mind. Understanding how an enterprise's information assets and digital holdings fit within the purview of applicable rules and regulations — as well as how they comply with corresponding requirements — is critical.