techUK has released a new cybersecurity report dedicated to the CISO. It includes seven recommendations for the CISO to help cybersecurity be seen as a business enabler. By changing the focus, techUK believes the business will stop seeing cybersecurity as a cost drain on the organisation.
Dan Patefield, Head of Cyber and National Security at techUK, said: “As cyber security underpins an increasing part of everything an organisation does, the role of the CISO function continues to evolve, enabling cyber resilient cultures to develop over time. It is critical for the CISO function to embrace wider skillsets beyond the technical, with an emphasis on commercial, communication and leadership.
“The key areas of focus outlined in this report, and the practical steps recommended will guide organisations’ approach to this function as digital transformation continues apace. In doing so, we can ensure that cyber security is viewed as a true business enabler and create a strong foundation for that long-term cultural change to occur.”
What are the techUK recommendations?
The seven techUK recommendations are:
Recommendation 1: The CISO must help the Board to recognise cyber security as a business enabler, and a critical ingredient in helping the organisation to deliver on its digitalisation journey.
Recommendation 2: The CISO should look beyond the purely technical and focus on business risk management. The CISO must have, and embrace, wider business skills and knowledge to drive change across all business functions.
Recommendation 3: The CISO must be prepared for all types of crises: identify the principles that will guide you in decision-making – and test them.
Recommendation 4: The CISO should build a digital empathy system: use telemetry data from trends to understand how people are working in the system to improve experience and reduce risk.
Recommendation 5: Supercharge the human firewall: the CISO should sharpen security hygiene to encourage people to adopt digitally safe behaviours and be on their guard against cyber threats.
Recommendation 6: The CISO should build the case for investment in appropriate threat intelligence so that they are equipped to help their leadership teams understand the business problem in context and to support improved decision making.
Recommendation 7: Diversity is a strength to be actively sought within the security team (and beyond). The CISO should help to hold their organisation to account on diversity and initiate conversations that provoke action to ensure a team that makes better decisions.
What makes this interesting?
What is interesting about this report is that it shows how the role of the CISO is constantly changing. According to the report, many started with, and are still stuck in, a technical and cybersecurity managerial role. But is that really where the CISO adds value?
Part of the role has always been advising the board on what the company should be doing. However, if that advice is purely about buy this, buy that, the CISO will always have to report to someone more senior to get access to the board. In addition, should the CISO be the head of the IT security team? There is a strong case to say the CISO should act on behalf of the business. Their role would be holding the IT security team to account.
This is where the detail of the report comes in. It points out that CISOs are too often inward-facing. It says there is now a desire for the CISO to widen their role. They should be involved in business risk management, board engagement and strategy planning as part of the role. Many CISOs already participate in some of these, but not all of them.
Four key skills for a CISO
The techUK report breaks the CISO role into four key areas – technical, governance, leadership and strategy. It then details what it believes each area entails. The question here, is can one person do all of that to a significantly high enough level?
Should the CISO role be split? As techUK points out, “Many CISOs are too heavily focused on technical, reactive responses to emerging threats and breaches.” That focus on technical matters often leaves the CISO outside the board. When they respond to the board, they don’t use the same language as the rest of the board. This has to change.
Interestingly. techUK believes that this is an issue of maturity. It believes that the CISO could eventually become the Chief Information Risk Officer (CIRO). Enterprise Times sees a slightly different maturity here. There will always be a need for a technical focus, so perhaps the solution is to split the role in two. In doing so, it has a significant benefit for the organisation.
The technical CISO would be responsible for holding IT security to account and implementing the proper technical controls. The CIRO would set policy but not just for organisations cybersecurity. It would take a wider view across the whole supply chain, looking for the wider risks. The technical CISO, Chief Procurement Officer and others would report to the CIRO. Such a move would meet all the goals of the future CISO as outlined at the beginning of the techUK report.
Enterprise Times: What does this mean?
The CISO role is the least well-defined job in any organisation. There is little training for it and little support when people are appointed. Instead, they are often under pressure and even attacked from all sides.
There is also no formal route to becoming a CISO. That is changing, not necessarily for the better, as some organisations set out lists of qualifications a CISO candidate must have. None of those guarantee success in the role, and almost all lack the wider skills that techUK believes are necessary.
We are well overdue a revision of what the CISO role should be. This report provides a useful point for organisations to start that conversation with their CISO. The idea of a CIRO who would take that board responsibility and have a wider responsibility makes sense. It would also provide a career path for those looking at the CISO role to decide whether to focus on technical or more strategic skills.