Chief Information Security Officers (CISOs) are kept from taking a more strategic role in the enterprise for a number of reasons, according to Deloitte. Firstly, it is important to note the inadequate alignment between security organizations and businesses. Most CISOs are technologists who have had limited exposure to and knowledge of the overall business, which narrows down their perspective of viewing cyberthreats not only as technical requirements but also as critical risk issues.
CISOs can also struggle to communicate and collaborate with senior managers partly due to limited interactions and relationships; a problem which is exacerbated at the executive level. In addition, security is a new skill that is highly specialized and in high demand while there is a security talent and experience shortage, which can prevent CISOs from focusing on the big picture.
Beyond issues specific to CISOs and their teams, cyber risk is not stressed enough at the organizational level due to a false sense of security and competing agendas. Many C-suite executives in particular in highly regulated industries believe that with compliance comes security. This mindset creates an organizational culture that has a narrow understanding of cyber risk, and that as a result fails to address the issue in its entirety.
Furthermore, many of these executives believe that CISOs should not be part of their organization’s leadership team. This is partly due to the fact that the mission of business units is the creation of new products and services, the drive of sales and revenue, and the control of costs in the process. This usually excludes security considerations when in fact these executives’ strategic growth agenda is often times the very cause of cyber risks within the company, which need to be addressed.
While all four faces of CISOs are important (technologist, guardian, advisor, and strategist) they are being challenged to move beyond a traditional focus on the technologist and guardian faces, and focus more on the advisor and strategist roles. This will pivot the conversation both in terms of CISOs mindset and language by switching from a focus on the negative aspect of how much damage and loss can ensue from risk, to the potential of risk to positively impact competitive advantage, business growth, and revenue expansion.