Istari

From Guard to Leader: The Changing Role of the CISO

Big changes in context propel big shifts in key corporate functions. Consider the chief financial officer. Long ago, when finance was less central to securing and maintaining competitive advantage, the CFO’s job was closer to accounting. It was more technical and operational, with little of the strategic and leadership dimensions that began to define it in the 1980s and have since become a core expectation. A similar shift is underway in the role of the chief information security officer (CISO).

Digital transformation has gone from buzzword to imperative. Employees, customers and suppliers are rapidly moving to interact online. And while operational streamlining and cost reduction are significant benefits to organisations, the most important driver of transformation is value creation. Once the information generated by a business is digitised, companies can reap enormous rewards from data. Organisations can use data to gain greater customer insights, make better business decisions and gain competitive advantages.

 

The challenging role of the CISO 

In a world where data is a major value-creation asset of organisations, protecting that data from cyberattack — a long-time priority of CISOs — is critical. Cyber risk has become a key agenda item for the executive leadership team and at board meetings. At the same time, however, most business leaders do not perceive the CISO as being part of the C-suite1. Instead, many see the role as a technology function that is not core to the business strategy.

Another complication for CISOs arises from related but separate roles. Many companies have a chief digital officer responsible for leading the digital transformation, and a chief data officer, who uses the data generated by digitalisation to gain greater insights and deliver more value. These roles often intersect, causing complexity and friction but also dependencies on each other. As companies accelerate their transformations, they move all things ‘digital’ and ‘data’ from their usual home within IT into being recognised as the core value-creation asset of the organisation. Concurrently, these digital and data roles also shift to support the organisation in achieving its strategic business objectives. Amid such complexity, it can be all too easy for CISOs to default to their traditional role as corporate guardians of data.

 

Reframing the CISO Role 

In theory, the CISO is already well-positioned to unlock value in enterprises. Cybersecurity teams often have good insight into how organisations operate and where the critical asset of data flows. This can be a source of intelligence. It can support the organisation in confirming that business processes are operating as they believe them to be and identify weaknesses where this is not the case. Companies can use their cybersecurity team to improve operations, build sustainable processes and create a resilient business foundation. CISOs are then no longer acting as a guard: they are creating value.

In such a role, CISOs act less like security professionals and more like senior business executives who focus on security, risk and resilience. They contribute to organisational growth just like any other executive, such as the CFO. In fact, without broader awareness of business value, cybersecurity teams may stifle digital transformations, agility and innovation.

Part of the CISO’s redefined role must be to help the cybersecurity and other security teams to reduce risk — but in a frictionless way. Balancing security with ease of doing business requires that information security risks be thoroughly discussed and agreed upon at the highest levels of decision-making. Only then can risk to the organisation be understood, managed within the overall risk appetite, and “owned” collectively by the leadership team.

CISOs need to be at the centre of business discussions with the mindset of a business leader, not just as a guard. To achieve this transition, they should focus on building four key qualities.

 

Skills and qualities of successful CISOs 

Collaboration and influence. Because CISOs need a broad view across the organisation, they should strive to bridge different parts of the business, negotiating between them, finding areas of commonality, and bringing people together to create more value. This requires building trust and working through strategic influence instead of relying on a command-and-control structure.

Toughness. Difficult conversations are inevitable because it is not always possible to enable everything securely. As a result, the CISO must be comfortable having tough dialogues, driving robust discussions and taking a stand when needed.

Broad, business-focused perspective. Executing the role successfully requires CISOs to build capability within their own function, and to understand the organisation itself – how value is created and delivered to customers. With this understanding, they will be able to make more informed risk decisions and have more meaningful dialogue with peers and stakeholders. CISOs need to learn the business, not merely the business of security.

Risk-tolerance. While security people (understandably) would love to remove every risk, there is no such thing as 100% risk elimination. Trade-offs abound, and organisations cope with a broad range of business risks every day. CISOs must be able to understand and articulate the specific risks the organisation may be taking in terms of technology, cyber risk and business value. But they also need to lead the conversation with respect to where that risk falls, what the trade-offs are, and just how much risk the organisation can tolerate.

 

The role of the CISO is still early in its journey. So it is worth remembering that the modern CFO role took years to evolve as well. As digitalisation advances, so will the role of the CISO. Those who want to help their companies grow and become more resilient need to build new skills and capabilities, and shift their mindset: only by moving from guard to leader can CISOs truly deliver the kind of strategic capability that companies require.

 

Download the PDF here 

 

Sources

Gallacher, L. A. (2019). Evolving the CISO role to make cybersecurity a competitive advantage. Harvard Business Review Analytics Survey sponsored by PwC

Professor David Fairman

Professor David

Fairman

Advisor

David Fairman is an experienced CSO/CISO, strategic advisory, investor and coach. He acts as an advisor to ISTARI.

David has extensive experience in the global financial services sector. At NAB, David was the Chief Security Officer (CSO) owning all aspects of Physical Security, Fraud, Investigations and Cyber Security. Prior to NAB, he was the Group Chief Information Security Officer (CISO) for the Royal Bank of Canada. David has been a senior leader at JP Morgan Chase & Co as Deputy Technology Controls Officer and Global Head of Technology Risk and Control. David has also held several senior roles at the Royal Bank of Scotland (RBS), including CISO RBS Americas and Head of Information Security EMEA. David is a Professor at Deakin University in Australia and inactive Professor at NYU. 

David was recently featured by The Top 100 Magazine as one of Australia's Top 50 Professionals. 

Article Links

From Guard to Leader: The Changing Role of the CISO