Evolving Role of the CISO: From IT Security to Business Resilience

by Geoffrey Coulehan on May 25, 2023

As organizations grapple with ever-evolving cyber threats, the position of the Chief Information Security Officer (CISO) has become increasingly important. Assessing and optimizing the reporting structure for this pivotal role is thus a priority. Traditionally, CISOs reported to the Chief Information Officer (CIO), but many companies are now looking at different structures — from having them report directly to the CEO or board to placing them in risk or enterprise data groups. It is critical to consider all factors and weigh each option carefully so that companies can get the most benefit out of their CISO’s skills and resources.

Direct Link to the CEO

Industry watchers are chiming in about an emerging organizational strategy impacting larger companies: changing the way CISOs report up the chain.

As the Wall Street Journal recently reported, companies have shifted to having employees in the CISO role report to executives outside the technology group — in other words, CISOs are increasingly reporting to CEOs instead of CIOs. The main driver for this change? Conflicts of interest.

To put it simply, “You can’t govern your boss,” as Ryan LaSalle, managing director of Accenture PLC’s North America security practice told WSJ. When CISOs report to CIOs, who are responsible for their company’s technology posture on the whole, problems can arise when assessing risks related to making tech project decisions.

Advantages and Disadvantages of Different Reporting Structures

Different reporting structures come with various advantages and disadvantages. Placing the responsibility for reporting under another C-suite executive may bring continuity and simplify decision-making because all information security lines would be under one leader, whereas a direct line to the board could elevate issues concerning cybersecurity risks and mitigation faster but may lack continuity if there are rapid changes or rotations in board members.

Sponsorships Available

The challenge lies in settling on a structure that maximizes collaboration between departments while adhering to any regulations specific to an industry or company size. Ultimately, organizations should seek a solution that prioritizes business objectives while leveraging all resources available to ensure effectiveness.

The Expansion of the CISO Role

With more and more large organizations relying on technology to conduct business, the need for a skilled CISO has become increasingly important. No longer just overseeing IT security efforts, the CISO is now responsible for a wide range of cyber defenses from data protection to compliance and even physical security. In addition, many organizations have had to adapt quickly to remote working in light of the pandemic, bringing further demands on the modern CISO to protect assets and personnel who can be anywhere in the world.

Given these changes, today’s CISO must remain constantly mindful of rapidly changing threats that are posed by digital resources. Unfortunately, this comes as many businesses are operating either fully or partially online; the risks posed by malicious actors trying to gain access to these resources are ever-present. It is thus becoming increasingly essential for any organization to have an experienced, capable, and up-to-date CISO at their helm – one capable of keeping an eye out for new threats while implementing adequate protective measures throughout all areas of their operations.

Changing the Status Quo

Research from Gartner suggests many CISOs lack the trust of their business partners, with some feeling that their value only comes through regulatory compliance instead of playing an integral part in driving business outcomes.

Perceptions about cybersecurity need to shift from a technical issue to one that should be integrated into overall business discussions.

In order for the role of CISO to evolve in the right direction, these status quos need to be changed so that collaboration becomes more prevalent between security teams and other departments within an organization. Doing so could create real changes in how security measures are introduced and managed on an enterprise level.

Benefitting from CEO Exposure

In recent years, data breaches and other network infiltrations have become increasingly commonplace, further adding to the risks involved with a CISO/CIO reporting approach. The inherent nature of the CIO role, to protect technology assets, stands in contrast to the CEO role, which relates to a larger picture view of a company’s business posture. Changing the reporting structure brings the CISO role more on par with the CIO role when it comes to board governance and reporting to CEOs. CISOs who have the ear of stakeholders in the board and CEO roles are better positioned to make more holistic decisions.

Ideally, CISOs will use their increased exposure to CEOs and board members to communicate more about cybersecurity impacts on business decisions. In fact, the CISO role has become more business oriented in these setups. As Myrna Soto, COO at cybersecurity firm Digital Hands, said at the WSJ Pro Cybersecurity conference in New York last year, “The Role of the CISO has become less and less technical.”

CISOs operating under this more modern organizational reporting structure are tasked with several responsibilities, including cybersecurity oversight, setting policies to ensure continuous operations in the case of a breach and overseeing business unit cybersecurity risk in addition to compliance.

Keeping Up with Threats

CISOs must ensure business resilience among all components of an organization’s infrastructure. These changes put them at the forefront of cybersecurity trends and necessitate staying current with sophisticated strategies like utilizing artificial intelligence, two-factor authentication, encryption technology, and other cutting-edge methods that help defend systems from potential attacks.

As organizations rely more on remote workforces than ever before, it is increasingly important for CISOs to have comprehensive solutions in place to protect data regardless of location. Today’s CISO must have a thorough understanding of data management while staying apprised of new technologies and regulations related to cybersecurity best practices.

Utilizing Artificial Intelligence in Security Defenses

With digital transformation and the evolution of cyber threats, CISOs are turning to AI and machine learning technologies to best protect their organizations. AI is incredibly effective in processing large volumes of data quickly and accurately, allowing cybersecurity teams to detect malicious activities much sooner than without machine learning support.

The advantage of using artificial intelligence and machine learning for security goes beyond the signal processing capabilities – it enables quicker response times and more comprehensive coverage of digital transformations.

Regardless of who a CISO reports to, in today’s environment, CISOs must be more than just technically-minded individuals. They must also possess excellent communication skills, and the ability to build and manage teams that are adept at collaborating and able to quickly adapt to changes.

These attributes are intertwined with traditional cybersecurity knowledge and combined with the right security tools will help make an organization secure from internal and external threats.

MixMode: Providing CISOs with the Tools they Need

When CISO and Chief Privacy Officer for the City of Phoenix, Shannon Lawson, was hired, he was tasked with the massive undertaking of keeping the city safe from breaches while balancing the other, less technical duties involved with his job. Lawson turned to MixMode’s AI-powered platform to modernize the city’s cybersecurity posture, including security information and event management, user and entity behavior analytics, network traffic analysis and network detection and response.

“MixMode can find the proverbial needle in the 14 billion haystacks to see which weird event may have occurred in the traffic,” said Lawson, adding that his training in information warfare and cybersecurity by the U.S. Navy and National Security Agency means he understands how easily network breaches can result from simple mistakes.

He also knows how the city can protect itself and its citizens — and he’s not shy about educating city leaders on why spending now will save much more down the road.

“People are not getting taken because they lack the latest vendor tool that does something,” Lawson says. “They’re getting taken or attacked, paying ransomware and having [personally identifiable information] spills because they aren’t coming back to the basics and working through the problems using best practices.”

To hear more about the City of Phoenix’s cybersecurity program, the practical business outcomes achieved using MixMode, including their experience effectively combating zero-day, non-signature attacks, and advice for CISOs evaluating security platforms to manage risk, click on the video below to see the full session from our Evanta CISO Summit: