In part three of our series, we laid out the five top priorities for CISOs as they shift their focus to the executive aspects of their roles and build out their teams. In this final part of our series, I join my colleagues Aileen Alexander from Korn Ferry and Paul Calatayud from Palo Alto Networks to look at those priorities in greater depth. Specifically, we focus on what CISOs can do today to empower their organizations.
No. 1: Addressing the cybersecurity skills gap and increasing cyber awareness
- Be creative. Think differently about the teams you have today, how their skills match to the latest trends and train them as needed.
- Work with HR to develop university outreach programs that focus on acquiring young talent early into the organization.
- Focus on making it easier to consume security technology. If you can make it easier for others to approach your team and understand what your team does, then you have a higher likelihood of attracting a different type of talent that can bring a unique set of skills to your team.
No. 2: Incorporating regional laws and regulations into cyber strategy
- Familiarize yourself with the impact of these regulations. Bring in a third-party expert to explain the intricacies and considerations.
- Consider introducing the role of a business information security officer (or BISO) in certain key regions. While they may not be focused on cybersecurity, they should focus on the risks, regulatory impact and privacy laws in their respective countries.
- Align closely with legal and policy teams to advise on the impact of these laws on your organization.
No. 3: Embracing the DevOps philosophy
- Forge strong relationships with these teams and become more involved in their development processes.
- In meetings and conversations, focus on risk guidance and why security is important to every application deployment.
- Define and share security requirements in a way that they become a natural part of the development process.
No. 4: Tackling IoT security (corporate and personal)
- Get involved in the process of IoT purchases at your company.
- Expand cybersecurity awareness training to include education about personal IoT devices and the far-reaching impact these devices can have on the organization.
- Advise employees on how to adjust device and app settings, such as location and data access, to protect employees and the company.
No. 5: Aligning with product and physical security
- Proactively get involved and forge relationships with product and physical security teams.
- Highlight the unique security risks and considerations for new products during early development stages.
- Develop steering councils or security review committees with the teams responsible for product or physical security.
This is a very challenging time to be in cybersecurity. At the same time, it can be very exciting. The threat environment is becoming more sophisticated and the impact of cybercrime and data breaches is becoming more high profile and potentially disruptive. It is not unfair to say that the future of the organizations often rests in the hands of our CISOs and their teams.
As we’ve seen in this four-part series The Evolution of the Chief Information Security Officer, the increased profile, visibility and accountability of the CISO is causing significant changes in who will succeed in these positions and how they will operate. Being the most technically astute individual in the organization is not a bad thing, but it’s not the only attribute that will define a successful CISO, now and in the future.
Instead, CISOs will need to fit comfortably in the executive suite, speak the language of business and recognize that one of the most important roles they have to play is as a change agent. As we said at the outset, cybersecurity has expanded well beyond the confines of IT and is now a concern at the highest enterprise level. That reality will continue to determine how the role of the CISO continues to evolve in the future.