The Evolving Roles and Responsibilities of CISOs
James Shira, Network & US Chief Information & Technology Officer, PWC
In order to address these new threats while maintaining operations, growing the business, executing the mission, and implementing digital transformation, organizations are finding that success requires a balanced focus on both business and security requirements. How is this development reflected in the changing roles and responsibilities of the Chief Information Security Officer (CISO)?
The role of the CISO in the organization is fundamentally based on the key information security principles that an organization decides to adopt. Said differently, the risk tolerance of the organization. I have found in my experience that it is a myth to say that one must have lower or lesser security in order to innovate and digitize.
In my view, one must have A) a strong set of core security principles upon which the organization relies, B) invest in security as a function of modernization, and C) look for ways to ‘anticipate’ where the technology landscape at the organization is evolving.
Companies want the leader; they respect the expert, but they need the leader. And CISOs of today and tomorrow who recognize this will distinguish themselves within their organization and beyond​ 
So the right role for the CISO, assuming he or she has the skills, discipline, and focus to achieve it, is to be in the center of the digital evolution of the business. The role then is to facilitate change, not obstruct it. This is why I said ‘assuming’ the skills are there because in far too many cases they are not.
The role of the CISO is undergoing a dramatic departure from the traditional, singular focus of network security. How does an organization expect their CISOs to function across a variety of business initiatives today?
I am not sure I agree that there ever was a singular focus on anything other than policy. The real evolution is found in how the role is being done, not what it’s doing. What I mean is ‘if’ the role being done is in a manner that facilitates the strategic agenda of the business while making it more secure in the process of change, then the role is evolving as I believe it should. Said another way, the role can’t be reactive.
There’s been far too much focus on who the role reports to and what level it is. Those things have their place, but really, great ideas and true innovation, guide things around it. And, therefore, the real change in the role of CISO is centered in my view on how it promotes change.
As security becomes more integral to business success, CISOs are being tasked with cross-functional leadership responsibilities to ensure the alignment of business objectives with IT and security strategies, and to manage risk rather than simply deploying tactical security technologies. What kind of responsibilities do this new breed of CISOs have?
The main difference I would call out versus 10 years ago, would be that of the change leader. The most effective cyber readiness programs have strong change leadership. We must all embrace the opportunity to improve our ability in leading and managing change. Unfortunately, we all learn through failure - including myself. What I have learned as a consequence is that the emphasis needs to be on change management - the process but more importantly the constituency of the change, the measures of the effectiveness of the change, and the messaging around ‘why are we doing this’.
Digital transformation and the accelerated pace of innovation, complexity and threats means that security must operate at the new speed of business or become irrelevant.
They must be masters of technology, risk management, and business enablement. To achieve this, CISOs need a broad, integrated security architecture that enables the automation of deep visibility and control at speed and scale. Your views on this trend.
There is no single architecture which can be relied on in my view. Rather there needs to be a focus on the effectiveness of the elements that the CISO finds when he or she starts the role, the most urgent gaps that need to be closed provide an initial opportunity to evolve that architecture, and then all of this needs to be modeled against the broader technical evolution of solutions in the market.
The speed aspect is obvious. Where a lot of time gets lost is on the tendency in our industry for individuals to get overly enamored with their favorite tools or metrics. I would recommend greater emphasis on effectiveness and maximum utilization of what you have and buy.
Far too often tools are procured and then sub optimally deployed or managed. Then an unfortunate event happens and everyone who supported the investment asks ‘how’d we end up here’? This is where those fundamental principles I mentioned before come in coupled with relentlessly focusing on tool optimization.
Many modern businesses are concentrating on reaping the benefits of digital transformation. Unfortunately, less than a quarter of business executives see information security as a proactive enabler of digital transformation. What is the next step for CISOs for enabling this?
A: believe from my previous comments here you can begin to capture my perspective on this. In my view, the real evolution in the CISO role is the opportunity for leadership. We have an opportunity to lead and be part of the solution not just the expert who found the problem.
Herein lies the largest missed opportunity in the industry and where I hope many current and future CISO’s will focus: be the leaders the problems require, step up to the challenge. But to do that we have to realize that we have to be more than subject matter experts and that no matter how important our subject matter is, our expertise alone will not change the problems.
In summary, companies want the leader; they respect the expert, but they need the leader. And CISOs of today and tomorrow who recognize this will distinguish themselves within their organization and beyond. Of course, this assumes that they stay and see the program through, here also rests a core challenge of our industry: frequency of job changes.
