Deloitte reveals top challenges facing new chief information security officers
Cyber Risk Services chief information security officers (CISO) transition lab defines the four faces of the CISO.
NEW YORK, August 12, 2015 — Faced with escalating cyber threats and increasingly complex regulatory mandates, chief information security officers (CISOs) are experiencing growing pressure to protect critical information and infrastructure assets, while also embracing strategic business initiatives to integrate a comprehensive enterprise approach to cybersecurity. Recognizing the growing challenges of this rising enterprise function, Deloitte, the leading provider of cyber risk advisory services, developed the CISO Transition Lab to help accelerate a CISO’s performance.
“As organizations realize that cyber risk is intimately linked to their innovation and growth strategies, expectations of CISOs are changing dramatically,” said Ed Powers, principal, Deloitte & Touche LLP and US leader of cyber risk services. “An effective CISO can no longer rely on his or her technical expertise alone. They must understand how strategic initiatives create risks and develop security programs that balance the need to drive business performance with the growing realities and complexities of protecting customers, intellectual property, and brand.”
This can be especially challenging for CISOs who are new to their roles and those who are hired from outside and don’t have deep knowledge of the organization. “One of the early expectations of a new CISO is that somehow you are going to step back and see the forest through the trees and be able to tell what you are going to do to make this security program take off. That is where the results of the Transition Lab came into play,” added Powers.
“Going through the CISO Transition Lab enabled me to understand these dimensions and make choices about how I can better build my team as well as discern my role that enables me to give more value to my organization,” said Tim Callahan, chief information security officer for insurance company, AFLAC, the largest provider of supplemental insurance in the US. “Given all the pressures of the job, without that, you’re always putting out fires instead of having meaningful impact on the risk posture of the enterprise.”
Findings from Deloitte’s CISO Transition Lab reveal that the highest priority for 77 percent of Lab participants is to promote better integration of business and information security strategies, followed by improvement of data governance and protection. Improvements in the areas of security program governance and talent management are also named as key priorities.
Deloitte reports common challenges shared by new CISOs:
- Lack of resources and effective team structure
- Ineffective communications/reporting among stakeholders and throughout the organization
- Inadequate governance including overall strategy and processes
- Lack of support or trust from executive leadership and stakeholders
- Insufficient funding
A successful CISO determines early how to balance priorities and challenges. It’s in the CISO Transition Lab that the four faces framework is introduced and enables the enterprise security function to find and define their balance across four primary roles.
Four faces of the chief information security officer:
Drive business and cyber risk strategy alignment, innovate and instigate transformational change to manage risk through valued investments
Integrate with the business to educate, advise, and influence activities with cyber risk implications
Protect business assets by understanding the threat landscape and managing the effectiveness of the cyber risk program
Assess and implement security technologies and standards to build organizational capabilities
Lab findings also indicate that, on average, CISOs today spend 77 percent of their time as “technologists” and “guardians” on technical aspects of their positions, and that they would like to reduce this investment to 35 percent. This demonstrates a recognizable shift in their desire to place greater emphasis on the “strategist” and “advisor” functions.
Deloitte’s CISO Transition Lab is an immersive one-day workshop that allows a newly appointed or incumbent CISO to step out of their daily work to take a fresh look at their function. After conducting more than 25 labs in its first year, Deloitte’s CISO Transition Lab continues to generate data and insights and highlights patterns in CISO priorities.
About Deloitte Cyber Risk Services
As part of Deloitte’s market-leading Advisory practice, Cyber Risk Services help complex organizations more confidently leverage advanced technologies to achieve their strategic growth, innovation and performance objectives through proactive management of the associated cyber risks. With deep experience across a broad range of industries, Deloitte’s more than 1,800 Cyber Risk Services practitioners provide advisory and implementation services, spanning executive and technical functions, to help transform legacy IT security programs into proactive, secure, vigilant and resilient cyber risk programs that better align security investments with risk priorities, establish improved threat awareness and visibility, and strengthen the ability of organizations to thrive in the face of cyber incidents.
About Deloitte Advisory
Deloitte Advisory helps organizations turn critical and complex business issues into opportunities for growth, resilience and long-term advantage. Our market-leading teams help our clients manage strategic, financial, operational, technological, and regulatory risk to maximize enterprise value, while our experience in mergers and acquisitions, fraud, litigation, and reorganizations helps clients move forward with confidence.
As used in this document, “Deloitte” means Deloitte & Touche LLP, which provides audit and enterprise risk services; Deloitte Financial Advisory Services LLP, which provides forensic, dispute, and other consulting services; and its affiliate, Deloitte Transactions and Business Analytics LLP, which provides a wide range of advisory and analytics services. Deloitte Transactions and Business Analytics LLP is not a certified public accounting firm. These entities are separate subsidiaries of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.
Deloitte reveals the four faces of the CISO
Download the infographic
With this infographic, wereveal the four faces of the CISO. The CISO role requires a balanced focus across four faces that enables the enterprise security function to maximize the value delivered to the organization.
Download the infographic to discover the distribution of roles the CISO faces.