The Role of the CISO and the Digital Security Landscape

Organizations have diverse understandings of what digital security is and is not. As a consequence, they wrestle with who is responsible and who is accountable for organizations’ digital security. This further complicates the question of whether the chief information security officer (CISO) position ought to be considered and instituted.

CISO positions and responsibilities are greatly unsettled since digital security crosses many aspects of enterprise transactions, challenging if it is even possible to place boundaries on the responsibilities of the role.

Do organizations expect the CISO to be a technology wizard, business savvy or a hybrid of both? Do organizations expect the CISO to be the responsible and accountable person in securing the computing environment and informational assets in the enterprise? Should the CISO be part of the executive team, or should the role be confined within the information technology (IT) group?

The subject of digital security within an organization creates a dilemma within the executive team with regard to defining the CISO role within the organization. There are several key gaps between what senior management may want or expect from the cybersecurity function and how far-reaching the responsibility of the CISO role ought to be that can be identified, and it is important to understand how to bridge and mitigate them.

The CISO can be involved in a wide spectrum of responsibilities depending on the organization’s size and/or the lens the executive team looks through for digital security.

To Whom Should the CISO Report?

To define the role and the location of the CISO in an organization, the organization itself, the type of services and/or products it provides, its relationships with other businesses, the geographic reach of the organization, required laws and regulations with which it must comply, the aspiration of the enterprise, and its future outlook all must be understood. There are a number of unsettled arguments among senior management teams about who ought to own the digital security functions and how to justify the CISO position and roles within an organization. The following are a few of the argued and debated subjects within the digital security world:

• The hurdle of justifying the CISO position—The number of issues the enterprise faced would establish some of the foundations in support of instituting a CISO position and the formation of the digital security organization. Any one or combination of these issues could justify the institution of the CISO position, and some of those are internal and external security breaches, monetary losses as a consequence of security incidents, compliance with the country’s laws and regulations, protecting the organization’s reputation, risk appetite, and several other circumstances.
• Reporting structure—Organizations are debating the appropriate position of the CISO in the organization chart. Among the points to consider is whether the CISO should report to the:
  • Chief information officer (CIO)? Answer: It depends. Digital security was born and advanced out of information systems and technology disciplines. CISOs may argue that information systems and technology groups are the implementers of the technology and systems controls. However, this may represent a segregation of duty (SoD) conflict if the governance and reporting on the effectiveness of IT controls are combined under one entity.
  • Chief financial officer (CFO)? Answer: It depends. The CIO argument mentioned previously also applies to weather the CISO should or should not report to the CFO. The issue faced is SoD with the IT-related financial controls.
  • Enterprise audit committee (AC)? Answer: Most probably no. The issue of independence is in question if the audit committee reports on the effectiveness of the controls that it operates.
  • Chief executive officer (CEO) of the organization? Answer: Most probably yes. For a mature, complicated and multinational corporation, the CISO position is much better suited to report to the CEO of the organization, where the digital security programs are designed to support the enterprise’s business objectives in a top-down approach.
• CISO and unresolved digital security structure—Different assemblies within an organization may argue for or against any of the preceding CISO reporting structures. Motives and politics are part of human nature; different factions within an organization may present several arguable reasons and rationales for various CISO reporting structures.

CISO Role

What is expected from the CISO? The answer to this question reflects the critical thinking of enterprise management, the level of sophistication of the organization, the complexity and understanding of the IT disciplines, and the rationale of investment in digital security, and it requires the diverse functional groups within an organization to argue the CISO position structure and either challenge or subscribe to a particular view in light of workplace politics.

From experience, the approach ought to objectively articulate the CISO’s expected responsibilities; the type of the deliverables the organization is offering, such as products or services; and the expected compliance to laws and regulations in the countries of presence or in which the organization is doing business.

Challenges Facing the CISO Position

CISOs are faced with a number of challenges, which could be characterized as gaps between how the enterprise senior management views or understands cybersecurity and how far-reaching the responsibility of the CISO role ought to be. There are gaps of understanding by CISO professionals as to how they perceive their role and what the experience expected of them is. The following are a few critical gaps:

• Gap 1: Should the CISO transform from having a technical focus to a business focus? Traditionally, the CISO position evolved from the IT environment where IT technologists, by default, were responsible for the fundamentals of IT security of the computing environment that they managed. Generally, IT technologists lack understanding or interest in the full business transitions of the organization. Also, IT resources often hesitate to cross to the business transaction side to fully comprehend the seriousness and requirements that various business units of the organization may demand. This is slowly changing, but the trend of transforming the CISO from the technical to the business side is not proportional to the rapid change of the business rules dictated by various and complex regulatory compliance requirements. More regulations have geographic dependency and/or multinational requirements. A good example is the EU General Directive Protection Regulation (GDPR) mandate where compliance is creating a greater legal liability and requiring organizations to pay greater attention to data protection practices.
• Gap 2: To whom should the CISO report? Information security governance is the responsibility of the board of directors (BoD) and senior executives. The International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) standard ISO/IEC 27001 states that top management shall demonstrate and ensure that the information security policy and the information security objectives are established and are compatible with the strategic direction of the organization and the integration of information security requirements into the organization’s processes.¹ If an organization agrees with this statement, the CISO position should be elevated and report to the CEO of the enterprise. If the organization believes that digital security ought to be confined within the IT function, it may struggle to move swiftly when it comes to facing rapidly changing digital security challenges. Senior business executives are increasingly realizing the significance of digital security and the need for the CISO role due to the impact of security breaches on the organization’s reputation, name recognition and the ability to achieve the business objectives.

The CISO is responsible for translating the digital security risk to senior management by identifying what could go wrong, the magnitude of the threats, the organization’s risk appetite, the acceptable risk level to the business and cost of mitigating the risk. These responsibilities make it imperative that the CISO speak the language of business as fluently as the language of technology.

• Gap 3: How to justify a digital security portfolio? There is a lack of tying digital security to the enterprise business objectives. The CISO must communicate with the C-level based on the enterprise business priorities. One of the critical challenges the CISO faces is to quantify the impact of the digital security portfolio, from the costs vs. benefits perspective, for requested expenditures. This perception where management considers digital security a cost rather than an investment is ingrained in many organizations. Changing this perception relies heavily on the CISO’s ability to prove that digital security is an investment with recognized return on investment (ROI). The CISO’s background and skill sets will be well utilized in this situation. Technical CISOs struggle with how to integrate digital security programs to the organization’s business priorities and methods to quantify the ROI and justify digital security initiatives.²
• Gap 4: Do organizations fully understand digital security functions? CISOs are faced with the challenge of justifying the approval of the cybersecurity budget. Digital security investments have a greater challenge than information technology to justify within an organization. The digital security portfolio solution requires a much shorter span of periodic evaluation than the IT portfolio solution. Digital security is dynamic, with some reactionary mode, and it changes based on new threats, incidents and the introduction of new regulations. Optimization of the digital security environment is achieved by implementing a higher degree of automation and machine learning capabilities, but it must be supplemented and/or complemented with human intelligence and intervention. The concept of “lights out computing,” which describes a data center that contains a number of computers/servers operating in normal conditions with no attended operator, does not work in the digital security world.
• Gap 5: Is the CISO an IT function? The IT community would like to assume jurisdiction of digital security within its organizational responsibilities and the solution portfolio. Proponents of such a culture are shrinking in number. However, the resistance is still there and has been enabled by senior management’s lack of understanding that digital security is a set of complex functions with a focus on resilience. IT operations are measured based on customer service and operational efficiency. Keeping digital security within the IT jurisdiction represents a greater risk due to the diversity of IT priorities, lack of SoD, and conflicts of interest when combining IT operations and digital security under one roof.

It is worth mentioning that big enterprises usually have highly decentralized IT ecosystems. This may present a challenge for the CISO when attempting to protect larger boundaries. For example, the Payment Card Industry Data Security Standard (PCI DSS) may push an organization toward centralized computing and an isolated computing environment for systems storing subscribers’ personal and private information. On the other hand, blockchain technology and its distributed architecture is one of the greatest forces moving organizations toward decentralization. The matter is not settled, and this adds to the challenges facing CISOs and the enterprise in general.

• Gap 6: Do the cloud and mobility present challenges? It is worth mentioning that big enterprises usually have highly decentralized IT ecosystems. Enterprises recognized substantial gains in operations improvement and reduction of infrastructure costs through cloud computing architecture and services. However, the cloud added extreme security challenges for CISOs and enterprises. The cloud has diminished the traditional concept of network security perimeter.

In addition, users are located and working from many places and remotely accessing cloud applications through various devices such as laptops, desktops, mobile devices and Internet of Things (IoT) devices. These devices all have the potential to evade well-designed perimeter defenses and are presenting a great challenge to organizations and CISOs.

Closing the Gaps

Consider these factors to guide the organization in determining if the CISO position is justified, to whom the CISO should report and what traits the CISO ought to possess. If any of the following requirements are critical and ought to be met by the enterprise, then a CISO position and cybersecurity function should be considered:

• If dealing with private information (e.g., name, address, financial data, social security number, personally identifying information [PII])
• If dealing with enterprise intellectual assets (e.g., patents, secret formulas, financial data, payroll information, insurance data)
• If complying with regularity requirements. This applies to publicly held enterprises and country, state and local compliance laws and regulations.
• If the enterprise is a multinational corporation where data are stored or transmitted across borders of multiple countries
• If it is a third-party vendor dealing with publicly traded enterprise data and intellectual assets or confidential private information³
• If certifying transactions and attestation are required by the internal and/or external auditors
• If and when SoD is critical where IT and digital security represent a conflict when oversight and assertion of identified controls such as custody, approval and reporting of transaction are performed under one functional group or resource
• If facing cloud architecture and data access and user controls. There will be a compelling reason to examine and shift to rethink current cybersecurity practices and transform the enterprise into the cyberresiliency model. Cyberresiliency includes, but is not limited to, data and information backup, disaster recovery business continuity, role-based access control, segmentation of vital enterprise assets, and analytic monitoring. This does not diminish the common cybersecurity vulnerabilities and focuses, such as on educating users about social engineering and phishing, properly configuring firewalls, and timely and regularly performing security patches.
• Other factors can be added and considered as they may fit the enterprise business, culture and strategy.

The Dimension of the CISO Role

The CISO role is evolving from a strictly technology focus to a process and business focus.

The CISO is expected to protect the enterprise assets, understand enterprise objectives, communicate with the senior management team, set the rules, provide oversight, understand the cross functions of the business, build a relationship with the business units, reach out to the outside business community, gauge the risk appetite of the enterprise, determine the appropriate portfolio of solutions, monitor and predict risk, and respond to security incident breaches.

The CISO has to lead and facilitate the establishment of digital security governance for the organization based on policies and procedures, best practices, oversight and monitoring of compliance to policies, current and anticipated threats, and proper selection of digital security solutions.

In addition, the CISO has to build, promote and endorse a culture in which accountability for digital security falls on all employees of the organization. The implementation of and adherence to digital security policies are the responsibility of all employees of the organization. Real-time monitoring and measurement of key performance indicators (KPIs) are among the principle deliverables of the CISO.

Risk-Based Cultural Transformation and the CISO Role

Protecting an enterprise’s critical assets requires the transformation of the organization to a risk-based culture, which means that cybersecurity is the responsibility of everyone. There are a number of factors that contribute to a risk-based culture. The CISO is expected to pioneer such transformation by being business savvy and being versed in technology solutions and the prediction of risk. This is an enabler to achieve both top-down and bottom-up objectives. The following are some of the fundamentals to achieve such transformation:

• The CISO is a trusted advisor to the business units of the organization. The CISO position should have a consultative nature and wear multiple hats with different traits such as business acumen, technology insights, group facilitation skills, integrator of technology solutions to the business, staff mentor and many others. The CISO is one of the principals playing a vital role in the enterprise cultural transformation.
• The CISO must enable the transformation of the organization’s infrastructure from legacy systems and architecture. Most important is the transformation of the organization’s legacy thinking, which, by far, represents the impedance to the transformation of the enterprise to a risk-based one. In support of such alignment, organizations must bridge business activities with business unit functional activities through a risk-based cultural transformation.
• The risk scenarios are owned by the entities that have control of the processes, manage the projects and have custody of the assets. The CISO and his or her organization do not own the operation risk. However, the CISO is one of those responsible for the failure of the design and operating effectiveness of the controls that are in place. This question becomes immaterial when the organization transforms the risk from being owned by an entity to being integrated into the enterprise culture and practiced by all employees through their daily activities.
• The CISO is responsible for dictating the cybersecurity dashboard and reporting key performance indicators (KPIs) through the appropriate use of tools.

In the digital security world, it is prudent to identify the KPIs and have the corresponding key risk indicators (KRIs) mapped to each other. KPIs and KRIs must be measured and reported on a regular basis.

Key dimensions of the KPIs are investment in technology infrastructure; investment in enterprise personnel through training, workshops and sharing real-life case studies; and investment in processes such as security policies, best practices and consistency through documenting standard operating procedures.

Timely alerts of violations, risk prediction and trending risk scenarios are critical to ensure that the organization has an effective response to the risk occurrences through written procedures.⁴

• The CISO plays a vital role in the design of key controls for various business units within the organization. This is where the CISO’s traits demonstrate his or her effectiveness, and the role of the CISO as a trusted advisor is critical.

The business units receive most of the credit for the upside and the downside of the control operating effectiveness. Members of the business units are the users and the operators of the controls within the established design. Violating the prerequisites included in the design might lead to risk exposure caused by these stakeholders. Providing regular cybertraining to end users is one of the critical components in risk-based cultural transformation.

Justifying a Digital Security Portfolio

Digital security has high IT technical content, and technical staffs generally have difficulty quantifying to management in business terms what the tangible and intangible benefits are of the proposed investment and the expected return. Often, digital security solutions are justified based on fear tactics, leaving senior management with looming liability and consequential impacts of not justifying the proposed digital security solutions.

It is the CISO’s responsibility to link the digital security portfolio to the enterprise business objectives within a confined time frame. The business, management and consulting skills of the CISO are tested and demonstrated by assuming a major role in ownership, which correlates the digital security solutions to the organization objectives and how they might impact the organization in total and/or the individual business units. The presentation of such justification should be more quantitative for the senior executive to understand.

CISOs must lead the effort to develop a business case to substantiate the business justification of his or her proposed digital security initiatives and their impact on the entire organization. An example of this is the development of a hierarchical business architecture depicting the relationship between business objectives, business units and the digital security initiative (figure 1).

Responsibility Matrix of Return on Security Investment

The CISO must assume the lead in consulting with the organization’s key stakeholders to develop what could be referred to as the enterprise hierarchical business architecture by identifying the enterprise business goals, the challenges at hand, business enablers and the digital security portfolio.

The key business unit stakeholders will be able to identify key attributes of the hierarchical business architecture, which will lend the required credibility and needed support for the CISO to transform the organization to a risk-based one. Figure 2 depicts the responsible and supportive role of the various level of stakeholders based on expected deliverables.

SoD Model and Test—Separation Between the CISO and CIO Function

As stated in ISO 27001, SoD is a requirement where duties and areas of responsibility should be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization’s assets.⁵ The most widely agreed upon SoD model requires separation between authorization (AUT), custody (CUS), recording (REC) and verification (VER) of a transaction.

Applying such a model in the digital security realm is depicted in the example of embracing some common IT practices to grant user access to critical informational assets of the organization.⁶

The following is an example of a workflow enforcing SoD within an organization when a new request is made to grant access to enterprise assets to a given user:

• Request to add a member to what could be referred to as a role-based access control (RBAC) to an Active Directory (AD).
• Authorize a member in AD.
• Enter a member in AD.
• Monitor the alert that a user has been added to access a critical informational asset in AD.
• Assert the design of the control of AD process.
• Attest the effectiveness of control of AD process.

In small organizations with less staff, SoD can be challenging and articulated through compensating controls and implementation of best practices. The policies and procedures covering access to the enterprise assets and data have to be in place at the point of employee/contractor hire and monitored and endorsed throughout the duration of employment. A compensating control of a minimum of two different signatures is required to authorize a new user’s access to enterprise data.

Figure 3 represents the SoD test in an organization by examining the rows and the columns for any overlap of responsibilities. To ensure no conflict or the presence of SoD, the same entity name should not be repeated more than once in each row or column of the SoD table.

For an organization to achieve clear SoD compliance between the CISO and CIO functions, the IT and digital security roles in managing and reporting compliance have to be separate. Otherwise, the organization is subject to a conflict of interest because combining any two or more activities under one organization unit raises doubt around the independence of managing and reporting the operating effectiveness of the established controls on critical transactions.

The findings of this SoD test lead to the conclusion that, in the organization chart, the CISO should not report to or be confined to the IT function.

Conclusion

There are a number of reasons why the subject of the CISO roles and responsibilities is becoming an interesting issue within enterprises. The increase in data breaches, the ramifications of breaches, the compliance dictated by regulations, the multinational aspects of information traveling across borders, emerging information technology architecture and services, and the external auditor demand for attestation all have elevated the CISO position to be a topic of discussion among the BoD and senior executives.

The importance of SoD highlights the fact that the CISO should neither be part of the IT organization structure nor report to the CIO.

Since the CISO position is being promoted to report higher in the organization chart, a greater emphasis is being placed on the CISO role and expected skill level of those filling the role. It has moved the skill of the CISO from technical implementer of technology to one of business focus and the ability to oversee digital security as a vital business unit to justify its relevance and demonstrate the ROI to the enterprise bottom line.

Additionally, enterprises are evolving to become risk-based organizations. This requires transformation of the enterprise culture to a risk-based culture, where digital security is the responsibility of all the employees of the enterprise. However, such cultural transformation has put greater pressure on the CISO to be a trusted advisor who operates as the integrator of the enterprise business units and a relationship builder. Digital security is becoming the bridge to integrate the enterprise products and services with the enterprise business functions.

Endnotes

¹ International Organization for Standardization, ISO/IEC 27001, Information Technology—Security Techniques—Information Security Management Systems—Requirements,