No C-level role has evolved as quickly and radically as
chief information security officer (CISO). The CISO role first sprang from the ground-breaking
“mega breaches” of the early 2000s, when it became apparent that cybersecurity
issues could have serious business ramifications. Back then, the role was
largely technical in nature (they would put up a technology perimeter to stop breaches
from happening) and, really, it was C-level in name only—most CISOs reported to
chief information officers and did not have a direct line to the CEO like other
The early days of CISO evolution also had a dark chapter. As
the breach epidemic picked up steam, so did the scapegoat status of CISOs, who
often found themselves in career jeopardy following publicly disclosed data
breaches. Life in those days was difficult for CISOs. There was still a general
belief in boardrooms that breaches could be prevented with some degree of
certainty, so CISOs were tasked with an impossible job: preventing the
That perception is changing today. I would venture to guess that no CEOs or board members in the Fortune 500 believe data breaches are 100 percent preventable. Those same enlightened executives and directors want to understand if the company is prepared to effectively respond to a major security incident. After all, if breaches are not completely preventable, then breach-response preparedness becomes the most effective tool for managing business risk associated with data breaches, which can include operational disruption, litigation, regulatory fines, customer attrition, and loss of intellectual property.
Cybersecurity has become similar to the electric grid. Utilities
can do their best to reduce the likelihood of blackouts, but violent storms
will still cause power outages. Therefore, the measure of competence for an
electric utility is not so much its ability to withstand violent storms without
blackouts. Rather, the company’s success is measured by how effectively it
minimizes impact and how quickly it can bring power back online after the
storm. Likewise, the measure of competence for a CISO is not so much their
capacity to prevent every conceivable breach, but whether or not they have a
codified, rehearsed, and company-wide incident-response plan in place that can contain
the incident and minimize the damage caused by a data breach.
Which brings us back to the evolving role of the CISO.
From those early days of being technical people and easy
scapegoats, today’s top CISOs have a much broader role within business. That
broader role requires a fuller skillset. They still need to understand the strategy
and technology of cybersecurity, not to mention IT in general, but they also
need to have the management acumen to make strategic investment decisions and to
effectively deploy staff and third parties. They also need to have the
vocabulary to translate security program objectives into business terms for the
board of directors.
And, most importantly, they need to be able to instill
confidence in the board that they know how to prepare the company to respond to
a data breach, because breach-response effectiveness can mean the difference
between a “blip” of bad publicity and an ongoing morass of litigation,
regulatory fines, and customer loss. It is for this reason that what was once
the career “kiss of death” for a CISO—being in charge when a data breach
occurred—is now a resume builder. Boards rightfully want to ensure that the
CISO knows how to “land the plane” following a breach, so what better
experience could there be than to have already managed a breach-recovery
situation—particularly when the outcome was as favorable as possible?
It’s been a wildly complicated ride for CISOs. Moving from
“tech jockey” to strategic business executive in little more than a decade is
not an easy shift. There is still a long way to go, as many CISOs are still
viewed as technical hands by senior management and directors, but the trends
are clear: more and more CISOs are getting a seat at the boardroom table. And with
savvy boards of directors, breach experience gets CISOs invited into the
boardroom, not thrown out of it. That’s a change for the better.
Mark Adams is the senior practice director of risk
transformation at Optiv.