The new CISO: Leading the strategic security organization
As customer data and intellectual property evolve and invite new forms of information theft, the leadership role of the chief information security officer must become stronger and more strategic—moving beyond the role of compliance monitor to help create an organizational culture of shared cyber risk ownership.
MONITORING, repelling, and responding to cyberthreats while meeting compliance requirements are well-established duties of chief information security officers (CISOs), or their equivalents, and their teams. But the business landscape is rapidly evolving. An often-cited statistic holds that “90 percent of the world’s data was generated over the last two years.”1 This explosion of connectivity provides companies new opportunities for customer growth and product development—but these opportunities come with a catch: As customer data, intellectual property, and brand equity evolve, they become new targets for information theft, directly impacting shareholder value and business performance. In response, business leaders need CISOs to take a stronger and more strategic leadership role. Inherent to this new role is the imperative to move beyond the role of compliance monitors and enforcers to integrate better with the business, manage information risks more strategically, and work toward a culture of shared cyber risk ownership across the enterprise.
Paradoxically, though CEOs and other C-suite executives may very well like the CISO’s role expanded, these same executives may unknowingly impede organizational progress. While senior executives may claim to understand the need for cybersecurity, their support for the information security organization, and sometimes specific cybersecurity measures, can be hard to come by. For instance, 70 percent of executives are confident about their current security solutions, even though only 50 percent of information technology (IT) professionals share this sentiment.2 So what’s creating this organizational disconnect?
CISOs recognize they can benefit from new skills, greater focus on strategy, and greater executive interaction, but many are spinning their wheels in their attempts to get these initiatives rolling. Through insights uncovered from Deloitte’s3 CISO Lab sessions4 and secondary research, we explore what barriers CISOs most commonly face when building a more proactive and business-aligned security organization, and describe steps they can take to become strategic contributors to the organization.