“People in CISO circles absolutely talk a lot about liability. We’re all concerned about it,” Deaner acknowledges. “People are taking the changes to those regulations very seriously because they’re there for a reason.”
In Nagler’s view, more defined regulatory parameters might actually turn out to be “the best gift” for CISOs. “Leaders are taking notice and hopefully it’s driving more thoughtful action and responsible (cybersecurity) program development in organizations. It’s a great opportunity for CISOs to evolve their role and their value to the company beyond just the technology and into being a strategic partner,” she says.
That could require more frequent — and meaningful — facetime with the C-suite. Yet the IANS/Artico study indicated:
- Only 20% of CISOs are regarded as C-level execs at their organizations.
- Just 50% of CISOs engage with their board quarterly.
- Although 85% want clear guidance on risk tolerance from their board, only 36% get it.
“A lot of times CISOs are still reporting to the CIO or CTO, the technical part of the organization. So as much as they should be reporting to the CEO, a lot of them still aren’t,” Fitzgerald says.
Reframing the CISO position for the future
In the face of constantly emerging cyber threats, AI advancements that seem to spring up overnight, and a shapeshifting legislative landscape, what’s a CISO to do in this day and age? In a 2022 research note that declared CISOs are simply “burnt out,” Gartner’s Sam Oyaei argued the role needs to be reframed entirely: as a leader of shared risk management, not the singular goalkeeper tasked with preventing breaches. “[The job] must evolve from being the de facto accountable person for treating cyber risks to being responsible for ensuring business leaders have the capabilities and knowledge required to make informed, high-quality information risk decisions,” wrote Olyeai, VP of cybersecurity advisory at Gartner.
Echoing that, Nagler urges today’s CISOs to “recognize it’s not their sole responsibility” to balance the delicate dualities of managing risk and enabling business growth. Rather, she says their duty is “to make sure the leadership team is equipped to balance that: by threading the needle, by explaining things, by anticipating, by understanding where it’s going.”
Fitzgerald advises the current crop of CISOs to focus on strategy and governance, “making sure all the right things are being done and that ownership of security around the organization is being accomplished, not just the technical pieces of it.”
The last word goes to the very first CISO. In 2021, when Steve Katz reflected on his trailblazing job at Citicorp in 1995, he presciently described his approach to the position in very similar terms. “IT departments were the smallest part of the issue,” Katz said. “From day one, the underlying philosophy was that information security is a business risk issue — it’s a business risk management issue.”