Forbes Magazine projected global spending on information security to reach $124 billion in 2019. This shouldn’t be wholly unexpected: digital security is a priority for companies and every high-profile breach is more reason for organizations to invest in defenses. As threats from outside attackers become even more severe, this strong financial focus is fitting.
One of the best security investments that companies can make is to ensure that their CISO (Chief Information Security Officer) has the responsibility and oversight to direct a robust response. The CISO position has grown in visibility and prominence recently, and it's incumbent upon today's leaders to make sure that these officers don't get buried in organizational charts. Information security as a priority affects all levels of businesses operations, and a clear response from the top levels of leadership is essential for long-term operational success. To invest in future stability – a goal that should be at the top of every business leader’s list – companies need to ensure that their CISO is empowered and prepared going forward.
The Current State of the CISO Role
The decision-making power of a CISO depends on reporting structures and collaboration. Organizational charts have much to say about the prominence of the CISO role, and companies who give these leaders clear reporting channels position themselves for success. In an article for Security Intelligence, writer Christophe Veltsos reflected upon the hierarchies most CISOs operate in. Sometimes, he claimed, a lack of influence with other senior leaders can inhibit the power of technology leaders, even if they communicate regularly. Veltsos wrote, “it isn’t always clear whether those interactions constitute true risk management or merely lip service.” Without the right influence, CISOs are unable to ensure the best results.
When it comes to security, reporting channels should encourage as much cooperation between executives as possible. This collaboration is important for all business functions, but it is especially critical for security. In many cases, this approach leads to high-level work between CIOs, CFOs and CISOs, truly making information security a primary goal for the entire C-suite. Nearly every CIO is concerned with security as well (including some who have spoken to the National CIO Review, such as Dennis Yang or Beth O’Rorke), and the prominence of security threats now means that the best leadership teams must approach this issue as a critical priority. In situations where a CISO can quickly report key findings to receptive leaders, there is more room for a successful approach and quick response to any risks.
It’s also worth pointing out that even a clear chain of command only works if every leader is invested and attentive. A traditional organizational chart is useful for allocating responsibility, and placing the CISO near the top of the list demonstrates that organizations want to prepare this role for success. Even with this level of preparation though, it is still incumbent upon others leaders to pay attention. Without high-level cooperation, there is no way for a CISO to adequately shore up defenses against present or future attacks.
Security Risks as a Business Function
Collaboration and communication channels are important because of this simple fact: information security is critical to business success. As we have written before, planning and mindset are key ingredients to a strong security approach, and the presence of an empowered CISO in an organization reflects appropriate prioritization among its leaders. In a contributing article for Gartner, writer Jill Beadle reflected on the business priorities that security brings. She wrote, “The goal is to shift the view of security and risk from a technical problem to a strategic priority. CISOs must apply rigor and perspective to the business orientation, cost, and value of risk management and cybersecurity.” Beadle’s words reveal this shift: as a business priority, security falls to all levels of leadership.
With this business focus in mind, a unified response from the executive level (led by the CISO) is vital to success. By emphasizing cooperation and empowering leaders to effect change, the entire C-suite can cooperate at the highest levels. In an article on the CISO role, Scott Koegler wrote, “every facet of the enterprise depends on a secure IT infrastructure, and today’s CISOs are finding that they need to work with multiple C-level authorities.” CISOs are highly-skilled, individuals who often bring decades of training and experience to their companies. Buried in an organizational chart though, their experience is useless if these leaders can’t apply it directly to the most pressing problems.
In addition, talent shortages across technology sectors make leadership even more important. We have written before about hiring strategies to overcome the most pressing talent gaps, but one of the best ways to counteract a lack of skilled employees at the operational level is to fine-tune approaches with specific goals and individuals in mind from the highest levels of leadership. Having a good CISO doesn’t negate the importance of good IT team members, but any approach to overcoming talent obstacles needs to originate at the executive level with collaboration and measured strategies.
The CISO Role as Future Investment
Establishing clear reporting channels for CISOs and cooperation at the C-level is critically important for future innovation and safety as well as present success. Going forward, the best companies will continue to ensure that their security leaders have the organizational authority to enact strong policies. The ideal reporting structure for any given company may vary significantly based on industry or region, and the most important element for a successful security approach is to empower skilled leaders to make the right decision.
The technology “arms race” that has made the CISO role so important in recent years is unlikely to relent soon. Consequently, the role of the CISO seems likely to gain even more importance as years pass. Organizations are increasingly willing to hire individuals for C-level information security roles, showing that lines of business leaders understand the value that a skilled CISO brings to any business. The number of data breaches that continue each year demonstrate that companies that are reluctant to invest time and resources into protecting themselves from attacks are likely to end up as high-profile victims.
From a high-level perspective, it’s clear that executive approaches will continue to drive security decisions. If organizational structure and collaboration will determine much of CISO responsibilities in the near future, the most important security decisions will continue to come from the top. Day-to-day operations will always be massively important for companies, but the degree to which a company’s CISO can outline and determine the direction of these operations will often determine success or failure. As companies continue to think of ways to meet rising security threats, enabling their most skilled leaders is the best way to present a unified defense.
Security and Success
The subject of information security is one of the most important in the field of technology. A security failure can mean the end of a career or – in some extreme cases – the end of an entire organization. Companies that fail to protect either their own data or customer information attract a great deal of public scrutiny, and it has become increasingly obvious that information technology is critical to business success. Among this tenuous and often risky landscape, the role of the CISO has grown and evolved.
CISOs occupy an interesting – and sometimes unclear – place in most organization’s hierarchies. They have an important task, one that influences nearly all aspects of company success, even though this doesn’t guarantee the full cooperation of executive leadership. Organizational charts show a great deal of the importance of the CISO role, but internal expectations and attitudes are just as important in some cases. Going forward, the composition of future reporting channels within companies will say much about whether the CISO role continues its upward trajectory of prominence.
The best companies always have an eye toward future plans. Whether this means investing in new technology, constantly re-thinking hiring strategies or simply adapting to changing circumstances, successful leaders know that only focusing on the present will leave their organizations susceptible to multiple threats. From a long-term perspective, investing in security through the CISO role is one of the best ways to prepare. Whether this means changing an organizational chart, the reporting process or even striving to rework internal attitudes, there are many ways that executives can make sure that their CISO is positioned for success. As security concerns continue to shape business growth, this is a strategy worth pursuing.