A remarkable and unprecedented event, the pandemic, drastically altered the lives of billions of citizens globally and established what is commonly referred to as the new normal in terms of societal norms and the way we live and work. The world of business changed in the last two years. The way we conducted business changed and so did the delivery of business. The biggest change was the human element of belief which was then pushed to the wall and accepted the new methods which no one would have even entertained earlier.
CISO & DPO
The technology and the unplanned accelerated digital transformation during the pandemic introduced new risks which were exploited and continue to be exploited. A large number of companies were hacked and ransom being exchanged was a testimony of transformation without the understanding of risk. This resulted in CISOs putting a band aid on the leaks before getting down to security transformation in an organized and structured strategy driven method.
A CISO in the Modern World
The role of the Chief Information Security Officer is growing in importance in an era of remote working and cloud architecture. The CISO’s role, thus, saw a major transformation in the last 24 months with massive changes in the methods of use of technology. So with the blood of rapid acceleration tasted, the business wanted to maintain the status quo on speed. This just increased the expectations from CISOs who now needed to reach the pace set and then match it.
The changed paradigm required CISOs to change their avatar to be a partner and not policeman and therefore needed to wear multiple hats of a technologist, a guardian, an influencer, an advisor and a strategist. CISOs must create a communication strategy and plan for engaging stakeholders and educating employees to remain relevant.
The Influencer & Advisor hat tested the basic fabric of the job role. Though CISOs looked for lowering the risk, it went against the business ethos of taking more risks. Also, the board needed advice, not on technology, but the implications of cyber risk. Hence the CISO should become a partner in the growth, understand the business of delivering products or services and advise the board and equip them to make decisions accordingly.
To manage all these activities and to produce results in such high stress areas, it is paramount that CISOs should be able to manage their time efficiently. A CISO is no longer a technical manager. Neither is a CISO a risk monitor of the company working on spreadsheets in isolation.
The CISO is now an operational role and its area of coverage includes both technical and non-technical domains. This becomes more complex depending upon the human element where experience and expertise (SecOps or GRC history) come into play and a person spends more time where he feels more confident and sure.
Talking from experience and with a technical bias, as we spend more time as a CISO, our time on technical domains is slowly reducing. This is despite the fact that the role of CISO is more technical than ever, and will stay so in the years to come. The job expectations are driving CISOs into domains which are based on wearing hats of an advisor, a guide, but mainly an influencer. Though the team works on these domains, CISO works with the organization at large to take cyber security threats seriously and become a partner in the journey.
Enabling transition through time management
Traditionally CISO’s responsibilities revolved around reducing potential risks and safeguarding the organization. However, as the world continues to undergo a digital transformation, the role of the CISO is increasingly strategic and influencing. Nowadays, CISO’s role is not only measured by whether the business suffers losses from a data breach, but also by ensuring that security is proactive and allows faster delivery of services and applications. To succeed they must shift their strategies and manage time effectively in both technical and non-technical areas.
Following is a breakdown of how a CISO should spend his/her time and allocate it. These steps would assure that any risk (or opportunity) associated with organizational activities is identified and addressed in a manner that supports the organization’s goals. It would also ensure that
organizational activities comply with laws and regulations affecting IT systems. In other words, IT systems and the data they contain need to be securely used and stored. New leaders must try to incorporate these points into practice and alter it according to their organizational priorities and individual requirements.
Technical (Core-35%; Non-Core-15%): Though this is the focus area of most of the CISOs, the time allocation cannot be more than 50%. In fact, even in this allocation, the non-core part is still about 15%.
20 % of this time must be spent on infosec governance, monitoring the KPIs and security metrics, and measuring the effectiveness of the policies and their implementation on the tools. As a result, organizational activities such as managing IT operations will be aligned with the company’s goals.
Likewise, a share of 10% of the time must be devoted to security engineering, tweaking the tools to improve the overall effectiveness. Another 10% of time shall be spent on strategy, projects, and new initiatives including budget management. The remaining 10% must be allocated to Audits, meeting regulatory requirements and compliances
Most CISOs love to spend time delving into technical aspects of the cyber security strategy. While having a good grasp of cyber security areas is essential, the time spent here should not be at the expense of strategizing, understanding the business and interacting with key stakeholders. The only way CISOs can do this is to hire effective team leads skilled in core areas who can deep dive into the respective technical areas.
Non-Technical (50%): As an advisor and an evangelist, the CISO should spend equal amounts of time on stakeholder management, both internal and external. The CISOs must drive effective stakeholder relationship management to boost the organization’s growth. It is essential to identify and prioritize key stakeholder relationships and clearly communicate the project scope to stakeholders. The CISOs must gain stakeholder trust right from the start and be consistent in their communications and messaging with the stakeholders
Hence 50% of their time should be used for relationship development, learning about business and creating value for the growth of the company. The lessons learnt here should dovetail into the technical domain thus providing a strong security posture.
- Relationship management with business (Delivery, Marketing, Legal etc.): 20%
- Relationship management with IT staff: 10%
- HR activities(Talent retention and acquisition): 8%
- Relationship management with leadership & board: 7%
- Relationship management with external partners: 5%
This area is the one where most CISO struggle as they come from core technical backgrounds. However, they should shed their inhibitions and actively engage with various stakeholders to understand the businesses and accompanying risks. A better understanding of business challenges will help security leaders tailor their responses to potential risks which factor in the key stakeholder’s viewpoints and have a suitable outcome.
There has been a dramatic change in the role of the CISO and security function in organizations over the past decade. However, as companies implement digital transformation projects and upgrade their IT infrastructure, the risks also change. To enable digital transformation, new technology layers must be protected from interference, intrusion, and corruption. Therefore, besides the above functional aspects, it is also imperative for a growing security leader to schedule some time for learning and stay relevant in their leadership journey. This learning should be preferably on developing new leadership skills such as communications, negotiations, stakeholder management and financial management. It could also cover blind spots in a CISO’s functional expertise by learning about new areas such as Zero Trust, SSE (Secure Access Service Edge) or Cloud Computing. This new knowledge will help them succeed in their new roles as security leaders and enablers to secure and lead their organization
How CISOs spend their time will be a critical factor in determining how they can protect their organization’s from cyber risk. CISOs today need to ensure that they distribute and prioritize their time effectively to balance between technical, management and collaboration aspects of their role.
About the Author
The document was co-authored by a Technology Advisory Council and comprised of
- Amit Dhawan, CISO and DPO at Quantiphi.
- Vikas Yadav, CISO at Nykaa
- Unique Kumar, Group CISO at CK Birla Group
- Mansi Thapar, Global Head, Cyber Security at Apollo Tyres
- Kumar Ravi, India CISO at Teleperformance