When does security become so integral to the business that the idea of having a single individual accountable for it stops being practical? Security should be like air; you only notice it when it’s not there.
We’re a long way off this point; but the last 25 years have forced organizations to grapple with cloud technology, robotics and AI, smart infrastructure, social media and complex digital supplier ecosystems, among other challenges. And the natural question for the slightly nervous CISO is, “Really, am I responsible for the security of all of this… how can I be?” I felt that many times when I was in the maelstrom of an incident, and even more so when I was called to brief the Board in the aftermath.
This made me wonder whether I could really be accountable for the security of all this. And from what standpoint – first or second line? As technology becomes a prerequisite for success in the digital era, security and resilience become such expansive enterprises that a single person assigned to govern it is doomed to failure. As such, they end up being a convenient scapegoat for incidents such as data breaches and continuity events.
The CISO of 2020 also faces challenges far beyond security itself, traditionally a first line of defence role. These include scanning the regulatory and legal horizon (a second line role); understanding the changing threat; the ethical consequences of security solutions and investigations; and potential social and political ramifications of the products and services they contribute to.
With all this on their mind, it’s easy to see why CISOs struggle to understand where they sit in an organization. Going forward, we may see the rise of a new second line role of Head of Cyber Risk, while the CISO’s first line responsibilities and accountabilities diffuse and embed across the business.
Rather than a single security team, can we expect to see security-trained individuals in business units responsible for embedding and coordinating security requirements between business operations? Security controls will become more integrated and automated, with continuous internal audit assessment and compliance scanning working with DevOps environments to embed security in products as per expected deadlines. The infusion of automation into these processes may even blur the boundary between first and second lines, and the segregation between development and production environments that the CISO is normally accustomed to protecting. All of these serve to make security less obtrusive, less of an obstacle to business processes, and helps to reduce the burden of future security operations and management.
Meanwhile, embedding security in the values of the business, and embedding security as a business priority, moved accountability from the shoulders of the CISO, and rightly into the hands of the business. As the duties of the modern CISO diffuse through business units such as finance, product development, and infrastructure management, the future CISO’s role will distil down to some key elements, requiring a fundamentally different skillset than the technical pallet held among today’s cohort.
I saw those changes starting in my clients – but it is all too easy to still regard the CISO as responsible and accountable for everything. They can never be, and I was quite clear just that accountability lies with the business who are the ultimate risk takers and decision makers.
The CISO of the future’s primary role will involve taking a longer term and strategic view of the security challenges faced by the organization, becoming a major player in large scale change initiatives and corporate transformations, offering independent challenge where required and embedding security into the business. This role, in particular, is crucial in an era of continuous digital disruption and transformation, and is consistent with the broader change from operations to oversight (first to second line). CISOs would connect also serve to key stakeholders over matters of security including individuals both inside and outside the business – a cooperative point of contact for regulators and business department leads alike helping to facilitate a coordinated and trust-based relationship between teams.
Whilst the role may become clearer and more focused, contemporary CISOs need to consider how the expectations of their role will change in the eyes of regulators, consumers and peers. For now, we should be asking ourselves - where will the CISO of the future sit in my organization? And will they even recognize the role of their predecessor?
All of this is here and now, but perhaps we might look into a crystal ball and ask ourselves what of the next five years, the topic for our next blog in the series…