The role of the Chief Information Security Officer (CISO) has greatly evolved in recent years from being the person who said “no” to everything to become a trusted partner of the business. In this article I go over what skills and technologies future CISOs need to adopt for future success
The typical CISO
A typical CISO is usually responsible for setting the security strategy of the company and making sure none of the “bad guys” get in and compromise the environment. A CISO is expected to combined business expertise and technical skills along with good business communication.
If you are not able to communicate technical terms in simple layman’s terms to the C-level then your career as a CISO will be difficult
The early days in which the CISO role was introduced made it a more technical role in which the CISO sat under IT or Risk Management reporting to the CIO or the Chief Risk Officer. Rarely did the CEO and CISO meet due to the mistaken assumption by the CEO that security was just a technical problem and not a business one. The rise of the billion dollar cyber crime industry put that mistake to bed and CISOs now pretty much have direct access to the CEO and regularly present cyber security risk postures to the Board.
The CISO of the future
Despite the stressful nature of the job, CISOs have it pretty good nowadays commanding great salary packages and authority within companies. However the digital landscape is undergoing massive changes with technologies like Artificial Intelligence, Metaverse and Quantum computing all poised to introduce new risks and challenges. I go over a few key trends which future CISOs need to keep in mind to have a successful career:
🔒 Embrace Zero Trust : The pandemic has accelerated a surge in digital transformations and the perimeter ( which was already being eroded ) is pretty much dead. CISOs need to realize that it is data that needs protection and not devices or endpoints. The Zero Trust Model on which I have written on before needs to be adopted for an effective security strategy, however two key points need to be noted
- Zero Trust is not a product ( dont buy products for zero trust ). It is a concept that needs to be applied across the board.
- Zero trust is not just for cloud applications. On-prem systems are as critical and need the same level of security
Access needs to be controlled via context based dynamic scoring based on the user’s identity, location, profile, risk score, device profile etc. The CISO who does not have zero trust on his or her roadmap will have a difficult time securing tomorrow’s environments.
👨💻 ️Age of the virtual CISO (vCISO) : Despite the importance the role of the CISO carries, the hard fact remains that a lot of companies cannot afford the salary of a full time CISO. The new model of CISO as a service or Virtual CISOs is a growing trend amidst smaller companies who are serious about security but simply do not have the budgets to afford one. A virtual CISO can be hired with a lower cost and lower risk of turnover while the organization benefits from the knowledge and experience that he or she brings. This model is something future CISOs need to keep in mind as an option.
🕶 MetaVerse is coming : With millions of dollars being poured into the Metaverse and its promise of a trillion dollar economy by 2030; there is no way that CISOs will be able to escape the promise of the Metaverse. Although it is still evolving and forming as a concept; new forms of social engineering and financial scams are going to pop up in the Metaverse and CISOs need to start their risk assessments early on and get proactively involved in Metaverse groups so they can steer decision making.
🧠 AI as a blind spot : CISOs have fully embraced AI in their security tooling with every other vendor boasting “powered by AI” in the tools they adopt. However CISOs are still behind when it comes to the inherent risks present in AI and Machine Learning systems. AI introduces new and completely unique types of risks which most cyber security teams are unaware of. From DeepFake scams to pollution of machine learning models; AI based systems are a completely different game from standard applications and require new security controls to be put in place. CISOs need to make sure they have a framework ready for identify and mitigating these risks.
The future is bright for CISOs
The role of the CISO has and will continue to evolve. It has now become a critical role for most organizations and is now embraced as a business enabler. However the changing technology landscape requires new strategies and future CISOs need to upskill to make sure they are up to the challenge