CEO / Founder – CyberSecurity Expert – Global CISO

Hicham Faik
CEO / Founder – CyberSecurity Expert – Global CISO
Published Nov 27, 2021
https://www.linkedin.com/pulse/evolving-role-ciso-hicham-faik
In 2017, 27 billion devices were connected using the Internet of Things (IoT). The International
Data Corporation forecasts there will be 41.6 billion connected IoT devices generating 79.4
zettabytes (ZB) of data by 2025. This explosion of connectivity has provided endless new
opportunities for companies to grow, impacting everything from new product development to
customer acquisition, even in traditionally non-digitized industries. However, with these
opportunities comes a high increase in cyberthreats. As the amount of data being generated by a
company continues to grow, they become prime targets for information theft.
What is a Chief Information Security Officer?
The Chief Information Security Officer (CISO) role dates back to 1994 when banking giant
Citigroup (then Citi Corp. Inc.) suffered a series of cyberattacks, and created the world’s first
formal cybersecurity executive as a result. The CISO has since been the executive responsible
for protecting an organizations’ proprietary data and intellectual property and managing
a company’s overall security. While in the past the role has been rather narrowly defined along
those lines, as the connected devices and the sheer amount of data has increased, the role of
CISO has dramatically evolved to taking a stronger and more strategic leadership role.
Specifically: While CISOs were once known solely as the security risk managers, CISOs are
now expected to be business enablers of an organization.
The role of the CISO now involves far more than just ensuring regulatory compliance and
adherence to ISO standards (although ensuring compliance with applicable regulations and laws
is still a big part of the role). They are responsible for a company’s security strategy and risk
management, assessing the company’s security vulnerabilities, staying abreast of changing
technologies, and allocating resources to facilitate the strategy. A 2019 study by 451 Research
and Kaspersky reported 70% of CISO respondents as saying that an emphasis on risk
management is a top change in the CISO’s role, and risk management expertise is among the top
three skills that CISOs cite as important.
Top Qualities of a CISO
Cybersecurity is a highly dynamic field. The need for rapid, experiential decision making,
organized thinking and the ability to strategically communicate to a non-security audience are
almost second nature to many CISOs.
In order to truly succeed as a CISO in today’s digital world, here are some top qualities that all
CISOs need to possess to excel:
Matchmakers: It’s integral for CISOs to understand the big-picture mission and to make strategic
decisions that align security goals with overall business goals. Executives expect that CISOs are
not securing the organization at the detriment of the business but rather to its benefit. With that,
it’s important to remember that the power of the consolidated set of technologies and services in
our security stack can deliver many benefits to our stakeholders beyond the traditional. The
ability to connect our efforts to both tactical and strategic benefits to business operations or even
the bottom line that go above and beyond traditional risk reduction is critical to the success of the
role, the team and the program overall.
Relationship Builders: The CISO’s job may seem hyper-focused on security, but success is truly
determined by relationships. This may come as somewhat of a surprise, being that security
professionals are commonly associated with their technical skills vs. their social skills.
Resonating, communicating and understanding the needs and concerns of business units and
their stakeholders within an organization is the most crucial aspect of the CISO role. The true
power lies in the combined understanding of the needs and challenges faced by stakeholders,
security and compliance risks that we need their help with addressing, and the breadth of
technical and operational capabilities at our disposal. Stakeholders that we can help today will
help our cause tomorrow, particularly those that are commonly allies of security (legal,
enterprise resource management, internal audit). True change for the sake of business risk
reduction typically comes through the voices of a network of change agents, not only the lone
voice of a CISO “punching up.”
Servant Leadership: Set the strategy, manage priorities at the “epic level” (side note: if you’re
not practicing agile, consider doing so), clear a path for your team and guide as required. Don’t
manage the details, lead on the outcomes and let the team figure out how they get there. As the
team bubbles up risks and challenges, take advantage of your relationships to knock them down,
enabling the team to make iterative progress towards the top risks and objectives. As noted
above, CISOs no longer have the time to manage every facet of the program but rather, must
enable the team to push strategic efforts forward.
Advocates: At the end of the day, CISOs need to advocate for proper cybersecurity
infrastructures that will actually protect their organizations. This is no easy feat, as business
leaders are often skeptical when it comes to investing funds in cybersecurity when they can’t
physically see the threats in motion. CISOs must communicate the importance of quality
cybersecurity and advocate for tools that will, as a result, save businesses money in the long run.
CISOs must serve as the lobbyists for the security organization, fighting for what’s needed to
stay protected under any circumstance.
CISO responsibilities
The CISO is responsible for ensuring the company’s data is protected from any number of
threats, including cyberattacks, data breaches, ransomware, and phishing scams—ultimately
keeping the business digitally secure, but without such stringent practices that makes conducting
business almost impossible. This can often cause friction between other areas of the business.
While in most cases the CISO works in tandem with or reports to, the Chief Information Officer
(CIO) to achieve the security goals, the CISO’s instincts are to lock down systems and make
them harder to access, but the CIO and their team are tasked with making information and
applications readily available for those who need them within the organization.
Today’s successful CISOs have a good technical foundation but often have business
backgrounds, an MBA, and the skills needed to communicate with other C-level executives and
the board. The actual mix of technical and nontechnical skills that a CISO requires will differ by
type of organization, size, industry, etc. however, you can expect the job description to
encompass any of the following:
• Security operations: Key to this role is the real-time analysis of immediate threats and
solving issues when issues occur. If there is a data breach, the CISO will undoubtedly be
involved in the incident response, including determining what went wrong in a breach,
dealing with those responsible if they’re internal, and planning to avoid repeats.
• Risk management and cyber intelligence: Keeping up to date with developing security
threats, and developing a strategy to tackle the potential security problems that might
arise.
• Advisor to the board: Keeping the board up to date on the security challenges that might
arise from big business moves.
• Data loss and fraud prevention: Ensuring employees are trained and educated in the
company’s data policies, such as the repercussions of the misuse or theft of company
data.
• Security architecture: Planning, purchasing, and rolling out security hardware and
software, and making sure IT and network infrastructure has been designed with best
security practices top of mind.
• Identity and access management: Ensuring that only authorized people have access to
restricted data and systems.
• Program management: Implementing programs or projects that mitigate security risks.
The breadth of information security and its ever-changing landscape and threats means CISO’s
must be hyper-aware of developments in the cybercrime world, learning the sophisticated tactics
that cybercriminals are using to attack companies. Thanks to the explosion of the digital supply
chain, there are more potential network entry points for cybercriminals than ever before, each
posing an added challenge for the CISO. As soon as one door closes, cybercriminals find another
one, often demanding substantial sums of money in return for keeping the data they get access to
private. In fact, some organizations face hundreds of intrusion attempts every day. According to
data from Juniper Research, the average cost of a data breach in 2020 will exceed $150 million.
Cybercrime will more than triple the number of CISO job openings over the next five years,
with Cybersecurity Ventures predicting there will be 3.5 million unfilled cybersecurity jobs
globally by 2021, up from one million positions in 2014. Learn how to avoid the high cost of
cyber attacks in this blog.
How important is the role of CISO?
A survey from the IDC sponsored by CapGemini of over 1,000 large enterprise executives across
the globe found that both information security, and the people managing it, are regarded as more
important than they were three years ago. 69% of non-CISO respondents said information
security has increased in importance while 77% reported that the personal influence of the CISO
had also improved. 90% of executives surveyed said the CISO is involved in significant business
innovation and change decisions, while over 60% said they attend board and executive
management meetings.
Furthermore, in the previously mentioned 451 Research and Kaspersky study, CISO respondents
were asked whom they reported to which serves as a good indication of how important they are
viewed within the organization. 41% – the largest segment – reported directly to the CEO and
23% reported to the board of directors. Even those who did not report directly to the board were
sought out for their expertise. It would appear, therefore, that CISOs are seen as critically
important within an organization.
Yet, according to a KPMG and Harvey Nash report, only 29% of CISOs believe they’re very
well-positioned to deal with security risks.
Despite cybersecurity becoming a far more visible aspect of the modern business, CISOs are
often struggling for funding. In fact, in the 451 Research and Kaspersky study, when asked what
puts the highest pressure on cybersecurity management, competition for budget (46%) is ranked
almost as high as the growth and severity of attacks (49%). High-profile breaches and privacy
concerns are not going away, and if companies wish to remain in business, their cybersecurity
strategy must be viewed as fundamental to the ongoing success of the organization.
The key to being able to respond quickly and proactively to the automated attacks is through
intelligence-driven cybersecurity. Undoubtedly CISOs have their work cut out for them, as they
try to stay one step ahead of the criminals. It’s no surprise, therefore, that 91% of CISOs say they
suffer from moderate or high stress. In the same survey from Nominet, 27.5% of CISOs said
stress affects their ability to do their jobs. Worse still, almost half (48%) of CISOs say work
stress had a detrimental impact on their mental health last year, almost twice as high as 2018
(27%).
While larger organizations are better prepared for cyberattacks than small-mid sized
businesses—which may not have adequate information security measures and resources in place
to protect themselves—it is still somewhat of an uphill battle for the CISO to stay that allimportant step ahead of the cybercriminals. As the role of corporate security becomes more and
more critical, CISOs—especially those at larger organizations—often oversee a team of security
professionals that work for the company. Smaller firms that are taking cybersecurity seriously
may outsource the job to a company that provides managed services. Some companies do a
combination of the two.
Future Forecast: Where is the CISO Role Headed?
Traditionally, CISOs focused on security strategy. They worked with stakeholders and direct
reports to understand and stack rank risks and related threats, and established and grew programs
and capabilities to stop them. Whenever a breach or significant security exposure was identified,
their job was to lead the charge in fixing the problem. Now, CISOs need to proactively think
about not just security strategy, but long-term business strategy.
In the era of the digital workplace, CISOs must not only focus on preventing threats, but create
systems that work for the business and still keep everyone protected. Constant innovation,
creation and implementation of unique strategies are already part of the CISOs job description. It
is about thinking not just about the threats in front of you, but the threats to come, and how to
stay ahead of them while keeping the goals of the business at the forefront. Decision-making that
ties business strategy and security processes into a firm knot is the only way to stand straight
amidst the faced-paced, ever-changing storm of digital services.
The role of the CISO is evolving faster than ever, and becoming the jack of all security and
business trades. On Monday, they’re the superheroes keeping the cybercriminals out. On
Tuesday, they’re improving the organization’s security posture. By the end of the week they’re
C-suite ambassadors and innovating the concept of security, all while delivering positive
business value.
As the role continues to evolve and the CISO’s depth and breadth of knowledge regarding the
business, its underlying technology and its core risks, the role will continue to elevate outside of
IT and be seen as a peer of the CIO. As enterprises continue to evolve, a growing number of
effective CISOs will be asked to inherit enterprise risk-management or infrastructure
responsibilities. The future remains bright for the CISO role, as long as we remain focused on
truly aligning with the business and managing risk around what truly matters most.
The role of the CISO is clearly evolving in response to the changing business world. In recent
years CISOs have made significant progress, expanding their influence and improving the
reputation of information security, firmly establishing CISOs as a strategic, business-critical role
that is fundamental to competitive advantage. Undeniably, one of the biggest strengths of today’s
CISO is to have a finger firmly on the pulse of changes in the cybercrime world, and the ability
to adapt quickly to new threats before the criminals are able to do serious damage.