Lastest news

The ascent of the CISO

May 19, 2019

Just as the scale and seriousness of the cyber threat facing businesses have evolved in recent years, so too has the role of the chief information security officer (CISO). Sir Rob Wainwright makes a case for the CISO, not only for security but to add value to the organisation.

Cyber aggressors, including hostile states, organised crime gangs and lone hackers have become more numerous, focused and sophisticated. The methods at their disposal have become more innovative, varied and destructive. Many businesses have adjusted to this more hostile cyberspace. Those that have adapted have re-modelled their short-term tactical procedures and long-term strategies to improve their defences. They have invested in the latest detection and prevention software. They have become better at responding to and getting operations back to normal as soon as possible after breaches. And, these businesses have elevated their chief information security officers (CISO), giving them more authority and budget.

Cybersecurity is now dealt with higher up the corporate ladder. In many cases, the CISO has become a close peer of the chief information officer (CIO). The role now demands business leadership as well as information security and technical skills, and the CISO is now seen as a business partner, not just a business protector.

Value for money

The CISO’s department has become a much bigger cost centre than it ever was and, therefore, has to demonstrate value for money. The argument has to be made that high-security expenditure will, by reducing the incidence and severity of attacks, save the company money in the long run. If this argument is accepted, the CISO will be seen as a money saver.

Some companies, such as certain telecommunications and defence companies, have developed such sophisticated and effective security that they can sell their solutions to other companies and have spun off separate businesses to do so. In these cases, the CISO has become a money maker, and thus a good friend of the chief executive and finance director.

However, the rise of the CISO is far from over. Robust cybersecurity is the foundation of a resilient company. With effective cyber risk management, businesses can achieve smarter, faster and more connected futures, driving business growth. As cyber threats to businesses increase, the role of the CISO will become even more critical. 

Cyber threats

The main cyber threats to businesses fall into several broad categories. One is the opportunistic, high-volume theft and use of data – data breaches – by criminal groups and individuals for commercial gain. Another is the targeted use of higher-end capabilities such as malware and ransomware by malicious state actors, “hacktivists” and criminal gangs with the specific intention of disrupting banking networks and the operating systems of other global industries. There is also the attack that spreads from intended targets to unintended victims, disrupting or destroying business supply chains and causing catastrophic collateral damage. 

Companies have adopted a range of tactical and strategic security measures to counter these threats, but none provide 100% protection. It is inevitable that breaches will happen. The best that can be hoped for is that the risk of breaches is minimised and that when they do occur, they are dealt with quickly and business continuity plans kick in immediately, and that’s where an effective CISO comes in.

Understanding these threats and putting effective counter-measures in place is the responsibility of the CISO, but he or she depends on many others in the company. The board and top management need to be aware of the risks and approve a budget that provides the CISO with the necessary technology and human resources. Staff at all levels need to be educated about the critical roles they play in their company’s security and follow the established procedures on the use of passwords, data access rights, and so on. However, the brunt of the day-to-day responsibility falls on the CISO. The CISO has to communicate the nature and extent of the cyber threats to all levels of the company. They have to influence senior management and the board to support the cybersecurity strategy and sign-off an ever-increasing budget. 

The evolving CISO

It is fascinating to see how the position of CISO has evolved, from being a cost generator to a value protector and, in some instances, to a value adder. Different companies are at different stages of the evolutionary process, depending on a variety of factors such as management foresight, industry sector and country of operation. With a dynamic landscape such as ‘cyber’, it calls for a new breed of cyber security leaders, and there must be a continued acceleration of the CISO role to adapt to the ever-changing, cyber environment.

The role of the CISO has changed. In the past four or five years, it has broadened, from being almost purely technology-oriented to being more people-oriented; and from being a middle-management function, to being a business and technology leadership function. The role continues to accelerate in the same direction to meet these needs.

Sir Rob Wainwright is a Partner in Risk Advisory at Deloitte Netherlands.

Sir Rob was previously the Executive Director of Europol, from 2009 to 2018 and has had a 25-year career in intelligence, policing, government, EU and international affairs, including at the Serious Organised Crime Agency, National Criminal Intelligence Service and the British Security Service. In June 2018 he was awarded a Knighthood by HM The Queen for his services to security and policing.