A successful CISO determines early how to balance priorities and challenges.
Faced with escalating cyber threats and increasingly complex regulatory mandates, chief information security officers (CISOs) are experiencing growing pressure to protect critical information and infrastructure assets, while also embracing strategic business initiatives to integrate a comprehensive enterprise approach to cybersecurity. This can be especially challenging for CISOs who are new to their roles and those who are hired from outside and don't have deep knowledge of the organization.
"As organizations realize that cyber risk is intimately linked to their innovation and growth strategies, expectations of CISOs are changing dramatically," says Ed Powers, principal, Deloitte & Touche LLP and U.S. leader of cyber risk services. "An effective CISO can no longer rely on his or her technical expertise alone. They must understand how strategic initiatives create risks and develop security programs that balance the need to drive business performance with the growing realities and complexities of protecting customers, intellectual property, and brand."
The common challenges shared by new CISOs include (According to Deloitte):
* Lack of resources and effective team structure
* Ineffective communications/reporting among stakeholders and throughout the organization
* Inadequate governance including overall strategy and processes
* Lack of support or trust from executive leadership and stakeholders
* Insufficient funding
A successful CISO determines early how to balance priorities and challenges. Deloitte has created four faces framework for CISOs to enable them define their balance across four primary roles.
* Strategist: Drive business and cyber risk strategy alignment, innovate and instigate transformational change to manage risk through valued investments
* Advisor: Integrate with the business to educate, advise and influence activities with cyber risk implications
* Guardian: Protect business assets by understanding the threat landscape and managing the effectiveness of the cyber risk program
* Technologist: Assess and implement security technologies and standards to build organizational capabilities
Deloitte has found that , on average, CISOs today spend 77 percent of their time as "technologists" and "guardians" on technical aspects of their positions, but they would like to reduce this investment to 35 percent. This demonstrates a recognizable shift in their desire to place greater emphasis on the "strategist" and "advisor" functions.