Savvy security leaders must enable the business and protect their organizations
In November 2023, IDC conducted an extensive global survey with 847 security leaders across 17 countries to better identify their roles, responsibilities, and the realities they face on the job. Responses confirmed that the CISO role is evolving as they straddle dual responsibilities as a cyber security leader and a business enabler.
The survey also showed today’s CISO role is much different than you might think. Many might believe a CISO’s sole responsibility is to assess risks, develop, manage, and execute security programs to protect the organization. That is no longer the case. Survey responses showed that security practices must be in full alignment with business and innovation initiatives. The modern CISO is one that can capably balance strategic business needs with technical practice tactics.
The digital transformation is one ingredient that has necessitated the agility needed by CISOs. Connectivity via the internet, while boosting business growth, has also opened the doors for advanced cyber attacks. Cyber security is a top business priority, and it is the CISO who must keep an organization’s assets safe.
Other key IDC survey insights:
- Strategic thinking: CISOs are thinking strategically about business goals and security technologies and architectures. Today’s landscape consists of networks, clouds, and assorted endpoints and providing resilience to sophisticated cyber attacks is an all-consuming strategic process.
- Expanding CISO role: In addition to business enabler and guardian, as CISOs mature in their role, they become legal and compliance advisor, risk manager, auditor, customer support leader, and a chief communicator. CISOs are extremely concerned with inflationary impact on budget rather than staffing
- CISOs and CIOs: The CISO and CIO relationship is much more complex than most believed. CISOs and CIOs though aligned to work together, the survey they are not always on the same page with IT and security priorities. CISOs and CIOs, for example, have diverging opinions on the role a CISO may play when it comes to business resiliency.
Strategic thinking
Following is a sample response to a selected survey question:
Strategic skills are most important for a CISO
Several questions surveyed both CISOs and CIOs on what they believe are the chief CISO roles and responsibilities. In response to “Thinking about strengths and skills that a CISO should possess, which of the following are most important?”
Figure 1: This is a partial list of responses
Expanding CISO role
Security executives are looking to drive business initiatives
In response to “What is the most important way you see your role evolving over the next 12-24 months?”
“As a practicing CISO from start-ups to enterprise organizations for many years, this survey validates many of my experiences. Being a CISO is an extremely challenging, continuously evolving role. As the security leader, you need to have a broad understanding of the business, technologies, regulatory and legal considerations, and strategic focus while contending with increasingly sophisticated cyber attacks. I believe this survey will inspire my fellow CISOs to know that we share many of same insights and challenges no matter where they’re located around the world.”
– Cindi Carter, Global CISO, Check Point
CISOs and CIOs
CIO and CISO priorities are not aligned
In response to the following, “What are the CISOs areas of top priority with IT? What are the CIOs’ areas of top priority in working with cybersecurity?
CISOs are most focused on cybersecurity and vulnerabilities. CIOs are focused on seeking faster response times from IT and ensuring business continuity and resilience, minimizing disruption, which are not on CISOs’ radar.x
“Even though I’ve been an analyst covering the cybersecurity sector, I was surprised by the results, particularly the complex relationship CISOs have within their organizations. The survey insights really confirm and dispel what we believed about the CISO role and how far it has evolved.”
– Frank Dickson, Program VP Cybersecurity Products, IDC