In our current digital age, the Chief Information Security Officer (CISO) stands at the forefront of protecting their companies, customers, data, and even other stakeholders, from an increasingly hazardous threat environment. Once primarily focused on securing networks and systems, the CISO now contends with a myriad of challenges, from stringent regulatory requirements to heightened legal liabilities stemming from data breaches and compliance complexities. In fact, the pressures have mounted so much, it’s creating trepidation from some previously considering the career path.
“I am hearing more and more high-end security people ask the question, ‘Who would want that job?’ It’s a very good question,” said Robert Hansen, Managing Director of Grossman Ventures. “I’m not sure companies understand how imperiled CISOs are. If there’s a financial upside, I can understand the rationale, but I would caution newbie CISOs to get a very good attorney to review any new onboarding agreements and make absolutely sure there is as much indemnity built into those clauses as possible. And I would spend a lot more time looking into insurance products, that might help offset the risk. Because it’s a lot of risk.”
Regulatory Challenges: A Shifting Landscape
The evolution of the CISO role parallels the rapid changes in regulatory frameworks and cybersecurity threats. Hansen emphasizes that “staying on top of the regulatory minefields” is a predominant pressure facing CISOs today. The regulatory environment is in constant flux, with new mandates and international sanctions altering compliance requirements almost daily. For CISOs, this dynamic environment necessitates not only robust cybersecurity measures but also meticulous adherence to ever-changing legal standards.
”If it’s not some new foreign sanction or change in reporting regulations, it’s a mandate from within or some other bureaucratic burden that fluctuates virtually daily,” Hansen continued. “If everything were stable, it would be too easy, I guess. I’ve heard CISO’s say on a few occasions, ‘I don’t fear hackers, I fear the auditors.’”
It goes without saying that this tidal wave of pressure grew with the cases around security chiefs from both Uber and SolarWinds, but we know there are other security incidents where regulations have created personal legal liability.
The above sentiment is not Hansen’s alone. I spoke with two people currently in the CISO seat, and both had similar concerns. In fact, Kayla Williams, CISO of Devo, explained that she’s seen colleagues step away from the role or stop pursuing the role due to their concerns over liability.
Unlike other C-suite executives who typically wield decision-making authority, CISOs often find themselves in a precarious position with limited control over crucial business decisions impacting cybersecurity investments and strategies.
“The accountability on the business leaders (CEO, CFO, for example) has not been taken into consideration, and more often than not, CISOs do not have the authority to execute roadmap strategies without those business leaders’ support (financial, cultural) and buy-in,” Williams said. “This puts them in the position to try to best protect the business and/or their customers’ data, without having full control over what is happening with tech investment, development, or even business development impacting those decisions.”
The “Ever-Evolving Threat Landscape”
We hear this term in almost every vendor press release, but the reality is that the threat actors, threats, and the technologies we use to try to defend against those threats are always changing. And because the threat landscape never ceases to stop evolving, neither does the role of the CISO.
“Some [changes] are technical,” said Merritt Baer, CISO of Reco. “For example, the broad acceptance of cloud computing and abstracted, app-based environments, and of course, the rise of AI– both in security and to secure against. There’s a lot of warranted pressure to stay sharp and be a change agent, because it’s the right thing for the business.”
Baer went on to talk about how security is a property of everything we now do and part of everything we deliver – no matter our industry, whether it be hospitality, technology, manufacturing, automotive, biosciences, and so on. It significantly expands the pressure of the role, regardless of where you work.
“You’re also in the security business because it’s inherent to the entity’s value,” she said.
The rising pressures related to the technology go beyond the threats themselves. Williams laid out four succinct other reasons related to the technology that have surmounted pressure on today’s CISO:
- More sophisticated customers demanding controls in contracts
- Cyber insurance companies demanding controls to gain coverage
- Lack of general understanding of the role’s remit because it can vary greatly by company, industry vertical, and region
- More reliance on third-party vendors and partners, which can create a huge increase of the attack surface
Not to mention the constant worry of the overall reason the CISO got into the role in the first place – as a protector. According to Williams, in addition to everything written thus far, one of the biggest pressures is still simply lack of visibility.
“When there’s something unknown in the network and we can’t protect it because we have no visibility; it really is a security professional’s worst day when an asset all of a sudden
pops up because it’s potentially compromised and no one knew it existed, so it has no controls to provide insight into what is going on.”
Strategic Evolution: From Technical Expert to Business Leader
Amidst these challenges, there is a notable shift in how organizations perceive and position the role of the CISO. Baer underscores the expanding scope of CISO responsibilities, stating that increasingly, CISOs are reporting directly to CEOs, signaling a recognition of cybersecurity’s strategic importance at the highest levels of corporate governance. This is a net positive. This elevation in status presents opportunities for CISOs to align security objectives with broader business goals and integrate cybersecurity into the fabric of organizational culture. More importantly, they can have their own face time with the board.
“I hope that with this scrutiny comes an opportunity to take a real seat at the table, and this means that individually we want to see CISOs get political will for what they need,” Baer said. “Significant security decisions are business judgment calls, so as a CISO you don’t get everything you want. But you should get what you need.
However, adapting to this challenge requires more than technical proficiency. CISOs must possess strong business acumen and political savvy to navigate cross-departmental dynamics, which is not always true of the more technical CISO, noted Hansen.
“According to one of my friends who works very heavily in the space within a private equity firm, he says that having looked at over 100 different CISOs, the ones that tend to do the best are the ones that tend to be business-centric CISO,” Hansen said. “They tend to be the ones that are able to come to the table, work with the board and the executive team and work across departments in a positive proactive manner.”
He added that, from his perspective, the more hands-on technical CISO tends to do worse in these environments because they aren’t able to handle those cross-departmental conversations as elegantly.
“It’s not to say they can’t figure it out,” he said. “But they are behind the 8-ball.”
Non-technical CISOs, according to Hansen, tend to have the benefit of being able to hire people who understand the technology aspects that they may not understand. “But if they [themselves] never understand how to exploit a Windows NT box, that does not matter from an ability to properly manage and mitigate risk within larger enterprises.”
Balancing Risk and Reward: The Future of the CISO
As organizations grapple with the implications of cybersecurity on their bottom line and reputation, the question of whether the CISO role is worth the inherent risks looms large. Beyond financial incentives such as stock options and bonuses and “industry cred,” prospective CISOs must carefully consider the personal and professional liabilities associated with the position. Enhancing legal protections through thorough onboarding agreements and specialized insurance coverage can mitigate risks, yet challenges persist in an increasingly litigious environment.
While the role of the CISO remains one of the most demanding and high-stakes positions in corporate leadership, and clearly varying in degrees of value vs. risk, it also presents huge opportunities for visionary leaders to shape the future of cybersecurity. The path forward demands adaptable executives capable of navigating regulatory complexities, fostering strategic alliances, and driving organizational resilience in an era ruled by digital transformation and heightened cybersecurity threats.
As businesses continue to prioritize cybersecurity as a critical business imperative, the role of the CISO will undoubtedly evolve, necessitating leaders who can not only safeguard data but also steer organizations toward sustainable growth and innovation.
“I hope that we are at the cusp of a wave of bright, diverse folks who see security as a creative field. I am hopeful,” Baer said. “But in reality, if you look around today, most CISOs are still pretty homogenous… let’s work at it! If we can make being a security executive a real way to change the world for the better, that’s a good place to start.”
Related: Cyber Insights 2024: A Dire Year for CISOs?
Related: CISO Conversations: LinkedIn’s Geoff Belknap and Meta’s Guy Rosen
