Many old and honourable professions exist – doctors, lawyers, even accountants. But the youngest aspirants to the title are those born in the digital era.
In the last two decades, the greatest challenges have arisen with our most exciting technological opportunities, with few being so pressing as the security, privacy and resilience of our digital world. The Chief Information Security Officer, or CISO, has become a recognized role supporting executives in tackling these risks.
But is the CISO role really the pinnacle of a profession? Will it be in the future, if not now?
After 30 years in security I still ask myself that question - can I really hold myself up as a professional? Do I have the right to compare myself to those indisputably honourable professions, and what does it really mean if I do?
The word ‘profession’ carries with it certain attributes which in older times conferred to professionals a great deal of respect. Professions such as medicine and law require long and arduous study in a specific skillset; they require professional qualifications embedding codes of best practice and behavior; and they are regulated, both by governments and by industries themselves, to maintain the highest standards of expertise. All this, to allow professionals to give impartial and expert advice on their chosen fields, independent of outside influence or personal biases.
So does the CISO really meet these criteria – and should I really aspire to do so?
The role of CISO was born in mid-1990s, in the wake of the first major data security breaches in prominent banks. On the mind of executives at the time may have been how to limit reputational damage after such breaches, and perhaps how to avoid breaches in the future at a minimum cost and interruption to the business. The CISO played a key part in re-establishing and maintaining confidence amongst treasury teams, clients and regulators.
This can create a fundamental conflict of interest between the CISO offering pragmatic and informed advice on sound security measures for an evolving organization, and the CISO being seen as an advocate for the organization in the face of potentially compromised security. So how independent or impartial should the CISO be?
Such conflicts are typically regulated in other professions, as is the requirement to attain professional qualifications before being allowed to use a protected term such as ’Doctor’, or ’Lawyer’. Few CISOs come into the role today without a suite of security qualifications and technical knowledge of standards and best practice guidelines, but in principle, one could be recruited to the position of CISO with none of these, and indeed on some occasions even without relevant experience. When I started 30 years ago, there were no qualifications at all, and the field of cyber security was nascent.
Going forward, what should we expect? To some degree, we’ve already seen an example of the evolving regulatory attitude in a distinct but related area – privacy. In 2018, under the EU General Data Protection Regulation, the position of Data Protection Officer (DPO) became a regulated role with professional training requirements and defined independence and reporting conditions. IAPP estimate that nearly 500,000 DPOs have now been formally registered in Europe since 2018. Perhaps the DPO, as it changed governance of privacy, shows us the shape of things to come for both security and resilience.
The CISO of the future should expect growing legal status and accountability (post pre and post breach) -- organizations should expect the CISO to become a well-defined, mandated role, perhaps even required to sign off on controls statements and disclose results to shareholders and annual reports. We have already seen this codified formally in the cyber security requirements for financial services companies in New York.
The title of Chief Information Security Officer may become protected, attainable only after achieving a professional certification encompassing both business security strategy and technical knowledge. Industry bodies would have recourse to remove such titles and refuse licence to practice the CISO professional for violations of codes of practice and independence. More broadly, we should expect to see the CISO role interacting more, and depending more, on the broader ecosystem of industry peers, regulators and business stakeholders.
But there is a counter-movement which may see the CISO role evolve in a different direction. A topic, perhaps, for the next blog…