Ahead of the cyber curve: the evolving role of the CISO
March 2024 | FEATURE | RISK MANAGEMENT
Financier Worldwide Magazine
March 2024 Issue
In order to protect their customers, shareholders and other stakeholders, companies need to become more agile and responsive to the scale and scope of cyber threats they face. Today’s realities require a new type of chief information security officer (CISO).
A staple but relatively low-profile member of the C-suite since the 1990s, today’s CISO has become central to operational success. They now have a wider remit, not least because technology touches virtually every aspect of a business. Indeed, the coronavirus (COVID-19) pandemic altered the technology and cyber security profile of many companies.
Growing threat
The annual cost of cyber crime has grown exponentially in recent years, amid a dramatic increase in hacking activities by hostile nation-states and organised criminal gangs. Cyber attacks have become the fastest-growing global crime, with an anticipated annual cost of $10.5 trillion by 2025, according to Cybersecurity Ventures, up from $3 trillion in 2015. Cyber criminals are increasingly sophisticated in their methods.
A cyber attack may result in theft of money, intellectual property or sensitive data, damage or destruction of data, business disruption, lost productivity, fraud or embezzlement, among others. Following the breach, there may also be direct costs associated with digital forensic investigations and system restoration efforts, and indirect costs such as reputational harm to the business.
CISOs stepping up
Of course, CISOs are predominantly concerned with data and cyber security, managing digital risks within the organisation along with those it may be exposed to via third-party relationships. They are also typically responsible for physical infrastructure such as devices connected to the internet of things. In addition, CISOs are likely to oversee employee training on managing cyber vulnerability, and on endpoint and network protection.
But beyond these core responsibilities, CISOs are also expected to be strategic enablers who can empower growth, innovation and digital transformation. According to a Splunk survey of CISOs, 86 percent of respondents said their role has changed so much since they started, it is almost a different job.
More than just a technical adviser, in 47 percent of the organisations surveyed by Splunk, the CISO reported directly to the chief executive, indicating a closer relationship with the C-suite and its governing committees. This relationship is more common in Europe, most likely due to regulatory imperatives and D&O liability attached to cyber security.
Senior leaders are more reliant on CISOs for guidance in a changing threat landscape. Greater collaboration between CISOs and the board means they both need to speak the same language. CISO must be able to communicate effectively with the board and C-suite, such as explaining technical jargon, as this will help illuminate the importance of investing in security to support the organisation’s business goals.
Yet according to research from IANS, just 50 percent of CISOs engage with their board quarterly.
Their expanding remit means CISOs often answer to customers, regulators and internal stakeholders on their organisation’s information security practices and posture, including notifying external parties of reportable security incidents.
Effective mandate
Ideally, companies will trust their CISO to keep them ahead of the cyber security curve with a proactive approach. To perform their role, CISOs must be given adequate resources and the ability to deploy them as needed. This includes a budget for acquiring the latest technology, recruiting and retaining the best professionals, and raising awareness of cyber risks throughout the organisation.
Artificial intelligence (AI) and generative AI (GenAI) can also create opportunities to expand the CISO’s sphere of influence. GenAI solutions provide advanced threat detection, automation and adaptive defences against advancing threat vectors. AI can also assist with smart, automated compliance, keeping the company up to date with new rules and regulations, especially in areas such as anti-money laundering and counter terrorism financing.
CISOs aim to assess and respond to potential risks before they materialise. To achieve that, they need to integrate themselves into other areas of the business, such as procurement and purchasing decisions, as well as mergers and acquisitions processes, allowing them to evaluate and report on associated security concerns.
When given greater influence, budget and mandate, CISOs not only safeguard their company’s digital assets but also reinforce its commitment to regulatory compliance, fostering trust among stakeholders and ensuring long-term success in a changing business landscape.
© Financier Worldwide
BY
Richard Summerfield