It’s been over 25 years since Steve Katz was hired as the Chief Information Security Officer (CISO) at Citi Corp, following a data breach that cost the company hundreds of thousands of dollars. He is known to be the first security professional to take up the title.
Since then, technology has advanced exponentially. This has led the role to evolve with many businesses hiring CISOs to take charge of their cyber-security operations.
Yet, while businesses are hiring CISOs, they have been somewhat side-lined in the boardroom. Their importance is undoubtedly recognised by the CEO, but they are viewed as the last line of defence; not as the enablers they are and should be.
This needs to change. CISOs cannot just be called upon when there is an attack and cyber security’s role in the business goes beyond reactivity. The CISO plays an important part in growing the business itself.
Generally, CISOs are in this position because they come from a technical background. But the position has been around long enough for it to mature into a business-focussed role, and those graduating into the position are now commonly from a data science and management background.
The challenge moving forward will be to shape the modern CISO to aid business growth by helping to develop a security-first strategy.
Back your CISO – it makes business sense
Today’s business landscape is increasingly reliant on digital methods. That makes cyber security more important than ever in achieving enterprise goals.
Return on Investment (ROI) is top of mind for C-level executives. What they don’t necessarily realise is that CISOs are as important as the rest of the board in generating these returns.
And this extends far beyond defending an organisation from potential breaches. Modern CISOs contribute to the business by designing a strategy for growth that identifies and mitigates potential risk along the way.
This allows organisations to take a proactive stance on cyber security – not just waiting to be attacked but actually looking at different ways to prevent an incident from happening in the first place. Subsequently, it helps the company’s reputation and maintains the trust of its customers.
CISOs have a seat at the table for a reason; digital oversight is more important than ever for organisations given the everyday role technology has in their operations. As businesses grow, so should the role that the CISO has in its strategy.
Good cyber security should be muscle memory
Bringing CISOs closer to decision-makers is important for businesses. But from a reputational standpoint, it requires a rethink about what a security leader does.
Currently, the perception is that a CISO will just put up and manage firewalls to protect the company – loosely speaking. This is, of course, one important part of the role – but CISOs need to go one step further.
Another one of their primary tasks includes training and awareness programmes that can help to build a strong security culture throughout the business, protecting it as it grows.
And that should not be limited to one-off security sessions or refreshers. It includes a constant drip-feed of information so that employees are constantly reminded about the responsibilities they have. This creates a culture throughout the organisation that champions good cyber security.
CISOs are the only members of the board that can drive this, but it requires the support of the entire board to ensure it is driven successfully. They can provide oversight and advice to develop a security culture within an organisation that encourages security champions. This is the main goal for a CISO; to make the habit of good cyber security muscle memory, the same way you would always remember to lock your door when you leave the house.
Driving business growth through good cyber security
Practising good cyber security should not feel like a chore – it should be done naturally throughout a business; from entry-level to the CEO.
CISOs need the budget to introduce a programme that engrains good cyber security within the organisation’s culture. To do so, there needs to be an understanding across the board as to why it will positively benefit the business’ growth.
With a ‘security and privacy by design’ approach, businesses will be able to take the digital age by storm. It will be vital as they look to be successful and profitable in a more digital and connected society.