The evolving role of the CISO

Why is the role of CISO so vital?

Mark Jones, Consulting Partner at Tesserent, examines the critical function of the Chief Information Security Officer (CISO) and ponders how the job itself – from expectations and skills, to the importance of communication and security culture – is changing.

How has the role of CISO changed, and what impact are they having across business operations?

The role has changed a lot over the last eight or nine years since the invention of the term CISO. It’s gone from a really technical focus to one that is absolutely imperative around communication. That’s communication with not only the executive team and the board, but also with colleagues who you’re working with and the team you’re responsible for, as well as other teams that are responsible for elements of security.

It’s pretty safe to say now that security is identified as a work area that’s not necessarily sitting within the security team’s role. There are lots of roles and lots of teams within an organisation that have responsibility for security. CISOs need to be able to communicate with both the leadership and members of those teams to make sure that security is not just sitting with one person or is only one responsibility within a company. It really does need to go across the whole business, right down to end users. Being able to communicate at all levels from a CISO perspective is something that’s really important now.

What are your thoughts on the creation of a ‘cyberculture’?

The term ‘cybersecurity culture’ has been around for a while now. I’m a massive advocate for security culture and getting people engaged at the right level. One thing I say all the time is that every security incident that has or that will ever happen is because of something that someone did or didn’t do.

So, whether you look at that from the perspective of someone who clicked a link, which is a simplistic point of view, or someone who didn’t write or approve a strategy the right way, or who didn’t understand how or where technology was applicable and what needed to happen from an architectural perspective – security incidents and issues happen because of something that has or hasn’t happened from a security-culture perspective.

My views on that have been pretty set for the best part of eight years now – that is, people are the problem and the solution to what we’ve got here. And I’m not talking about just clicking links and data protection and things like that. I’m talking about really getting people to understand what their roles and responsibilities are – both in the office and at home.

So if we can continually keep the security culture within a business improving and maturing, that will make massive steps towards helping manage this risk, which will always be ongoing.

Audits, by their very nature, are quite intrusive because they’re trying to unpack some of the details to see if there are vulnerabilities. From your perspective and the perspective of a CISO, what’s the best way to prepare a business for audits? Is audit-readiness even a thing?

Audits are sometimes good because you can use them to start justifying controls, and get more money or support for issues that you want to knock down and get actioned.

But when the auditors arrive, you don’t want to be finding out there are lots of issues right when they’re running through your systems. So be prepared by going through internal assessments. Make sure any remediation activities from those internal assessments, which could be done by another party that’s not doing an audit, are done prior to an external auditor coming in.

It’s a very good approach to have those ‘pre-audits’ happening before the real audit, or assessments or workshops or whatever else needs to happen internally to identify the gaps and issues before the auditors come in.

Looking ahead, what do you think will be the biggest challenges facing CISOs this year and into 2023? Is there anything that people should be looking at?

With recent events and with what’s been happening abroad, there are some areas of potential focus. But I’m also working with a lot of clients to understand what their issues are, and watching what’s happening across those areas.

There are some really key themes that are coming through which I see around the assessment of third parties that are linked to your business – understanding what they do for you, how they do it, and the level of assurance you want around their security posture.

Linked with that and linked to current events, I’d recommend having some comfort around your incident-response capability. That means gold-teaming activities where you can work through incidents before they become incidents. That can help you really understand where the gaps and opportunities are for improvement.

Also control programs – there are lots of controls that normally get put in place with security programs, but how often are they assessed, and are they assessed based on risk? How are you getting assurance that when you need to report up, down, sideways that those controls are effective? That’s another area a lot of people are starting to talk about and ask questions.

I think there’s also going to be more changes from a regulatory and compliance perspective. So you should at least have that on the agenda – when those things do come up, you’ll have a pretty good degree of certainty that you’ve got a response lined up, and that you can confidently answer any security-type question that comes across your desk without getting caught out during an audit.

Be prepared for internal and external audits. Always being on top of those sorts of things is a good start.

Want more insight into the world of cybersecurity, digital identity, biometrics and more? Get your fix with the IDentity Today podcast, hosted by Daltrey CEO Blair Crawford. Listen via Apple Podcasts, Spotify or your favourite podcast app.