In the face of rapidly changing and growing security threats, the traditional role of the CISO is evolving. Adapting to the new reality is the key to success.
Enterprise-level corporate security, both cyber and physical, is an increasing concern in companies and businesses around the world as threats to both continuously evolve and become more extensive in scale. Noting the many well-publicized and disastrous breaches that have occurred over the last decade, company executives are more aware than ever before that just one data breach or another security incident can have a devastating effect on their business, negatively impacting their brand resulting in loss of customers, as well as severe financial losses due to fines, legal fees, and the cost of remediating damages. Companies realize that they must adapt and rethink their approach to the dynamic threats they face today and the increasing regulatory demands. No one at the C-Suite level feels the weight of these concerns more than the Chief Information Security Officer (CISO), with responsibilities that have been greatly expanded and changed, with more visibility and accountability, compared to only a few years ago.
Today’s CISO faces a whole range of emerging technical challenges brought on by many factors, including the widespread and growing use of mobile devices, the global nature of information sharing and access, compliance with new federal and state regulations, and the threat of attacks from both international cybercriminals as well as state-sponsored actors. In response to this new security environment, the CISO increasingly reports directly to other C-suite individuals, including the CIO, the CRO, and the company’s general counsel. This means that more than ever before an effective CISO must possess not only information technology expertise, but also communication, relationship, and business skills.
Not too long ago, the accepted philosophy was that physical security and cybersecurity were distinct fields with different specific responsibilities that should be treated as separate divisions. But with the new technologies and realities, more emphasis is being placed on the interdependent functions of a company’s CISO and the Chief Security Officer (CSO).
According to John McClurg, CISO, and Senior Vice President at Blackberry, as quoted in security, “The older view of separating physical and logical security is changing in enterprises, to where it is now quite common to find corporations where the corporate security and IT security worlds are fused. Both roles don’t get appreciation every day, but they certainly get the blame when it goes wrong.” Adds George Finney, CISO at Southern Baptist University, “From my perspective, being in cybersecurity for a long time, you just can’t have cybersecurity evolve without physical security doing the same,” he adds. “If you don’t get physical security right, you can’t guarantee the cybersecurity of your organization. And the opposite is also true. The two go hand-in-hand. That’s how you prevent crime. That’s how you ensure the safety of your community.”
The reality that companies have come to accept is that the IT security responsibilities of the CISO and all of the various duties of the CSO, including physical security, fraud prevention, business operations continuity, compliance, safety, brand protection, ethics, privacy, etc. are increasingly interrelated and that there needs to be a closer working relationship and coordination between their two divisions. This is the only way that a comprehensive overall corporate security strategy can be achieved.
This is not always a natural partnership to create. Often their personalities and professional approach to managing and problem solving are quite different, resulting in friction and working difficulties between the two. But experience is proving that the two functions can be merged successfully to create a formidable defense against the threats that companies face in the modern world.
The roles of C-Suite security executives will continue to change and evolve into the foreseeable future, and an ability to learn and adapt will be vital to their success.