The Emerging Role of the CISO

When I started this post, I intended to take it in another direction.

Initially, I planned to discuss how today’s CISO role has evolved similarly to how the CIO role has changed from the early 1990s. In both cases, the person initially appointed to the position when the role was first emerging tended to be a highly technical, senior-level person. However, over time, both roles have accepted a wide array of talent and backgrounds – some of which are not technical. One common element in a successful CISO is that the person understands technology. But, more importantly, they know the business and can make strategic decisions that align with the organization’s goals and risk tolerance. 

In my view, the CISO role is multi-dimensional, involving aspects of an educator, project manager, consultant, strategist, and security practitioner. 

If I were to summarize my thoughts on the role, I see it as more of an executive coach focusing on business and information risk. 

To draw the parallel, think, for a minute, if you were seeking professional coaching to achieve some physical fitness goal, like competing in an Iron Man triathlon, running your first marathon, competing in a martial arts tournament, etc. For people beginning such a journey, it would be hard to know where to start, let alone to develop the long-term strategy, plan, and tactics to compete and train effectively, without injury.   Having a skilled professional as your coach to help you reach the finish line would be an enormous benefit . They would help with a broad array of matters  during this journey, such as:

• Equipment selection;
• Race strategy;
• Developing the training plan;
• Tracking and monitoring progress;
• Performing  check-ins and adjusting the plan/approach, as needed;
• Giving race-day  day performance feedback;
• And more.

After you hit your big goal, even if it was just finishing the event, the plan will be adjusted, new goals will be set,  and the level of monitoring and interaction with your coach will adapt accordingly.

Similarly, I have seen many companies embrace cybersecurity as someone would pursue an athletic goal. But, instead of being ‘healthier,’ ‘fit,’ or a ‘competitor,’ the goal is to become more secure. And as such, they seek the professional guidance of a full- or part-time CISO to get them there. A competent CISO would create a short- and long-term strategy based on the organization’s current state, objectives, regulatory compliance mandates, and other factors which drive the program.   Additionally, the plan would be tracked, managed, and adjusted based on emerging risks, events, new goals, etc. Finally, the executives and board members would need to be ‘coached’ as to why a particular set of tools and protocols are required. 

I have the honor of mentoring many up-and-comping cybersecurity professionals, trying to convey this concept to them. I tell them that everyone expects them to know more about security than anyone in the company – but this is only part of the role. They need to ensure security is a business enabler and risk mitigator – and to do that effectively, they need to put on their coaching hat and create a climate for performance.