As I prepare for my upcoming presentation at RSA 2022, I’ve been reflecting on the role of information security in modern enterprises and how it is evolving like never before. Security will need to improve third-party oversight as organizations increasingly depend on outsourcing models for scale flexibility, efficiency, and cost savings. It will also need to do a better job of balancing security requirements (e.g., regulatory compliance, risk management) against business objectives (e.g., user experience, network performance, reducing costs).
To keep up with this shift, the role and responsibilities of the Chief Information Security Officer (CISO) need to evolve as well. But this shift is just as much about an evolving culture as much as it is about changing infrastructure and multiplying risks.
To get a better understanding of these changes, let’s start by airing out a few of the most common complaints from management teams and executive boards regarding the current tenure of today’s CISO:
- Security teams don’t positively engage with business
- Security strategy and spending doesn’t align with the organization’s business strategy
- Security focuses on information protection at the expense of other corporate goals
- Security is a roadblock to innovation and revenue growth
- Security can’t articulate value to the business
To be fair, today’s CISOs face a much harder job today than they did even a few years ago. Their attack surface is sprawling as a result of remote workers, multi-cloud services, and unending cycles of business digitalization. Threat actors are launching increasingly sophisticated attacks that use advanced technologies like artificial intelligence (AI) and machine learning (ML). Attack volumes are on the rise—with things like a 450% increase in phishing downloads over the last 12 months. And there’s also more vulnerable information that is being collected and shared than ever before—with total the amount of data in the world projected to more than triple from 2020 to 2025. (On top of that, CISO mental health is of increasing concern, disproportionate to a wider understanding of why burnout occurs so often in CISOs.)
When I started security at Visa 25 years ago, it was my responsibility to secure the organization. Keep the bad guys out, let the good guys in. I thought it was complex at the time. But over the last decade, virtually every aspect of the security team’s responsibilities have become increasingly more complex. Securing the internal organization is still at the core, but now we also have to manage third-party risks as well risks with vendors and software-as-a-service (SaaS) applications. Regulatory compliance risks have also gone up a hundred fold since those days with the emergence of things like the EU’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and strict Payment Card Industry (PCI) standards.
The security leader’s job has become exponentially difficult—while the potential for a successful attack that significantly impacts the business is also rising. And so for security matters to be taken seriously, we really need to change the executive team’s perception of security. It needs to become a value to the business. Just like any other department, it needs to create value in coordination with the broader trajectory of the organization.
At the end of the day, the goal of the security leader is still to protect the business. But some critical skill limitations of the traditional CISO’s role are starting to interfere with that prime directive. The effects of business digitalization and shadow IT are widening the gap between the security team an