The job of the Chief Information Security Officer (CISO) or Information Systems Security Manager has already evolved considerably in recent years and it will certainly experience new changes in the future.
At the organizational chart level, the CISO is often positioned within the CIO department but there has been a slight evolution in recent years where CISOs are being positioned differently and even directly under the CEO authority. This evolution testifies to the necessary mutation of the CISO profession, which tends to leave its initial technology perimeter to position itself according to a more transverse approach and closer to the business activities of the organization, and even to become a full-fledged activity, beyond a mere support function. This new trend is welcome, in the sense that it makes it possible to integrate the CISO as well as its spectrum of skills and its scope of action into the business operations of the organization. More broadly, the CISO could even bring his expertise to the organization’s digital transformation projects, knowing that the security dimension of the organization’s digital projects should in no case be overlooked
As Jamal Dhamane, Essilor group CISO, stated in an interview published by MagIT in October 2016: “little by little, the function must go more towards the business rather than to the technique”. He also added: “the more mature the company, the more the CISO is linked elsewhere [than to the CIO Department]”, “the CISO must be placed where it will be most effective”, “there is more autonomy and proximity to the business when the CISO is not attached to the CIO ”.
This approach seems entirely relevant, but it does not imply that the CISO must necessarily and always be positioned outside the CIO department. It will also depend on the corporate and organizational culture of the company. As a matter of fact there is still an urgent need to strengthen communication, and even more to establish a real dialogue between the security teams and the business: it remains an imperative today. This also means that the business must strive to better understand the scope of action and the added value of CISOs, while adopting an approach that takes into account the security issue in daily operations.
Thus, beyond the positioning of the CISO in the organization chart, it is the definition of his scope of action and his attributions which remains essential. As a result, the CISO must also be able to develop a real capacity for leadership on information security and cybersecurity issues in the organization, otherwise he/she may become inaudible internally. It also requires from the CISOs to extract themselves from the purely technical jargon, which remains difficult to access for the uninitiated, and to strive using a more business language.
The question of communication and dialogue between the CISO and the management of the organization remains crucial, in the sense that the CISO must allow decision-makers to have a good understanding of the exposure to cyber risks of the organization, its ability to deal with cyber incidents and ensure the continual adaptation and review of the organization’s cybersecurity policy and strategy, as well as its regulatory compliance. Ideally, cyber risk should therefore be the subject of regular discussions within the boards of directors. In addition, this would actually disseminate and promote a better security culture internally. For their part, CISOs must endeavor to translate their security management tools into more meaningful business indicators, perhaps less technical, in order to better convey their messages to the Top management. On the other hand, this also requires that the Top management and the board of directors have a minimal knowledge and understanding of cybersecurity issues.
I welcome your thoughts and comments.