Opinion: Simon Kouttis, head of cyber security practice at Stott and May, looks at the dramatic evolution of the Chief Information Security Officer.
Over the past few decades, IT has become more and more sophisticated. Unfortunately, so has cybercrime. The internet; mobile devices; cloud technology; they have all changed our working lives for the better, but the more agile a business becomes, the bigger the security threat. Cyber-attacks have become more diverse and complicated in response to the diversity and complexity of modern technology.
This means the role of the Chief Information Security Officer (CISO) has evolved dramatically over the last few years. Once the most technical person in the room, today’s CISO must be a business enabler, someone focused on the wider business objectives, and they must possess a broad range of skills.
Gone are the days when one size fits all – every business has different objectives based on the threat landscape. Given the potential monetary loss and reputational damage that comes with a cyber-attack (just ask the likes of Sony and Talk Talk), it is more crucial than ever to get the right CISO for your business. But this is easier said than done.
The one that works for your company will depend on your company’s specific needs. The best analogy I can think of – and trust me, it’ll make sense at the end – is sports shoes. Think of businesses as elite athletes. Every sport requires different physical attributes and different equipment. There isn’t a pair of trainers on the market that can be used for everything, and there’s no one kind of CISO that will be ideal for every business.
The Operational CISO
Let’s take that footwear analogy and run with it. A good distance running shoe is designed to deal with all sorts of terrain and generally handle anything thrown in its (often long and winding) path. It’s not built for short bursts, and won’t perform that well over 100m – but then, it’s not really supposed to.
The operational CISO is comparable in the sense that their eyes are typically on the horizon rather than what’s immediately in front of them. This isn’t to say they’re incapable of dealing with problems that truly come out of nowhere; simply that they’re at their best when they’re thinking of information security in terms of the company’s overall five-year (or even longer) strategy. They don’t tend to have huge budgets, so they take pains to make sure every employee – and especially those in IT – is rigorously adhering to procedure. The idea is to create a culture of safety, rather than to nip problems in the bud as they arise.
If you value steadiness and endurance over raw speed, then this CISO will typically do very well for your company.
The Transformational CISO
Even the best trainers wear out eventually. When this happens, you’ll typically have to shop around for new ones. It’s always a good bet to go for something a little different, and the running spike is an excellent way to go. It’s speedy, it adapts easily to new situations, and it features a totally different design from standard models.
Processes don’t work forever; those that were suitable five or ten years ago will prove outdated sooner or later. In this case, the transformational CISO works similarly to the running spike: they’ll rapidly alter the way you do things, and while it might be an uncomfortable transition at first, it’ll be to your advantage in the long run.
When you need to make serious change quickly you’ll want to bring in this executive.
The High-profile CISO
If you’re a football fan, you’ll know the phenomenon when you see it: your favourite players, all wearing shiny, gaudy, and sometimes neon-coloured boots. You’ll likely wonder what the point of all that ridiculous, loud design work is. Is it supposed to distract defenders? Does luminescent pink really make you strike the ball any harder? But over time, you’ll put these reservations aside, because the players wearing them are the best in the business: Sergio Aguero. Lionel Messi. Cristiano Ronaldo. They might seem a bit expensive and flashy, but they do the trick.
A high-profile CISO operates in a similar fashion. Typically they’re brought in after a security breach has already occurred, but they’re also sometimes employed simply to reassure the rest of the company that it’s in safe, experienced hands. This kind of CISO is undeniably an expert in both IT safety and business – and this expertise doesn’t come cheap.
That said, while you’ll certainly find more budget-friendly execs out there somewhere, you won’t find better. It’s true in flea markets and executive suites alike: you get what you pay for.
The Technical Expert CISO
The tennis shoe is useful when you’re playing tennis, but like tennis rackets and tennis balls, it has limited applicability to anything else. Of course, when you’re playing tennis, why would you need anything else?
The same applies to the technical expert CISO: the one you bring in when there are clear and problematic security knowledge gaps. They’ve got an established history of introducing more robust IT safety procedures; they know the technology better than anyone else on the market; they’ll introduce a strict, borderline- rigid methodology that may seem discomfiting at first – but it works, and you’ll be better off for having it.
They’re subject matter experts through and through and can skilfully negotiate changes in direction, just like an agile tennis shoe.
The Educational CISO
You can’t really wear a football boot or a pair of trainers when you’re trying to climb a mountain or negotiate unpredictable terrain. If you want to avoid getting pain in your feet over a long journey, you’ll need a pair of reliable, sturdy hiking boots.
If your company is relatively naïve about cyber security, you’ll want to hire a CISO with the patience, knowledge, and general wherewithal to educate your team over time. The educational IT safety exec takes a didactic role, influencing key stakeholders and impressing best practices upon all employees. It’s a long and treacherous road, but the educational CISO is always ready to help your team walk it.
Having the right CISO is as important to business success as having the right footwear is to sporting success. Your company will have very specific requirements, and you’ll want to hire an executive that can meet them. It’s much harder to find an appropriate CISO – but it’s always worth it in the long run.