Menu Close

Who is the CISO? And why every C-suite needs one

Like mobile apps, cloud computing and Twitter, two decades ago the role of the chief information security officer didn’t exist.

Today, Twitter and the cloud are all-pervasive, we check mobile apps dozens of times a day and the number of CISOs has climbed to record levels. According to ISACA’s ‘State of Cyber Security 2017’ report, in 2016, half of the organisations surveyed had a CISO. By 2017, that number had risen to 65%, and it continues to increase. Once hidden in a backroom, with the rapidly expanding cybersecurity threat landscape, CISOs now find themselves with a place in the boardroom.

In the past, CISOs were technologists first and foremost. They knew the right technologies and tools, they understood how to deploy infrastructure, and how to identify and monitor vulnerabilities. It was all pretty geeky stuff. But today, the risk landscape has changed, and so has the CISO’s role.

Business risk

Senior executives are grappling with the daily reality of adjusting their risk appetite in pursuit of business growth and so CISOs, with their place at the executive table, must also grow and rely on new risk management skills. A CISO needs not only an in-depth understanding of the business they operate in, but also the ability to provide counsel on what risks are appropriate for their organisation to take.

The reality is that no business is risk free, and risk is a normal part of growth. Without risk, an organisation will fail to thrive. What has changed over the past two decades is that it is now coupled with security risk. Bad actors know that the real money lies in compromising an organisation, whether it’s through denial-of-service attacks, ransomware, phishing or just good old intrusions that steal corporate information.

For this reason, a CISO must be able to convince and enable business unit and departmental leads to tightly couple business risk and cyber risk. It’s also vital that CISOs effectively engage with their peers to drive business risk management decisions that inform the overall cybersecurity strategy.


To supply this feedback and insight, a CISO needs advanced business skills. The top four skills CISOs need to fulfil this requirement are:

  • Communication – A CISO needs to effectively communicate their ideas to drive understanding, engagement and action.
  • Collaboration – CISOs need to build trusted cross-functional relationships that gain the confidence and commitment of their organisation.
  • Critical thinking – An effective CISO must make decisions that reflect good judgement and enable quick problem solving.
  • Leadership – This is the most important quality a CISO can have. A CISO must grow their leadership skills to influence the board, motivate peers, inspire vendors and empower their team.

Advanced skills

The skills of a CISO aren’t significantly different from any other C-suite role (with an added dose of high technology, of course). The individual needs to have excellent communication abilities, the capacity to collaborate and an aptitude for critical thinking.

In the past, CISOs were the enforcer, putting in place rules and regulations about how an organisation’s information technology assets could be used and what staff could and could not do.

The consumerisation of IT, the rise of ‘bring your own device’ and the extension of the business perimeter beyond the firewall has changed all that. Now the CISO is an enabler. Saying ‘no’ to a business initiative targeted at growth and increasing revenue because of an anticipated security risk doesn’t work anymore. Instead, CISOs must take a strategic look at business goals with their security glasses on, and then provide their feedback and insights to senior management and the board.

The reality is that every organisation needs a CISO. They have an equal seat at the management table and can provide insights into combining business risk with cyber risk to encourage business growth. Today, CISOs need to be more strategically savvy and elevate their thinking to be aware of not just how to protect their company, but also how to enable the organisation to achieve its objectives. Twenty years ago, CISOs barely existed. Today, they’re essential.

Leave a Reply