Ch 1 The Empowered CISO - CISO Desk Reference Guide

The following excerpt is from Matt’s essay for Chapter 1, in which he discusses the CISO reporting structure. This particular section talks about what Matt refers to as the empowered CISO. Please enjoy.

The Empowered CISO

An excerpt from Matt Stamper’s essay for

Chapter 1 – Organizational Structure

“What’s clear is that the role of the CISO as the champion for cybersecurity and risk-mitigating activities has reached a level of importance that heretofore has not been seen within organizations.”

I firmly believe that CISOs today need to be the peers of the CIOs and CTOs of their organizations and that they need to report directly to either the CEO or CFO. It is also highly advisable that the CISO has calendared meetings with the board of directors to ensure that the board is aware of the organization’s cybersecurity risks. There is indeed growing awareness that members of the board of directors also need to increase and enhance their digital literacy and there’s a push to see Qualified Technology Experts (QTEs) join boards, akin to how Sarbanes-Oxley mandated Qualified Financial Experts (QFEs). The Digital Directors Network has been at the forefront of advocating that boards need to have more technical expertise to exercise their fiduciary responsibilities effectively.

Key to this peer-based organizational structure is a broader, more holistic view of cybersecurity practices within and outside (think third parties and partners) the organization. Beyond the critical skills and competencies required to evaluate technical security matters and other forms of digital risk, a CISO reporting outside the traditional IT structure would also need additional context related to legal and regulatory issues and enterprise risk and organizational strategy.

All these scenarios impact the C-suite and the board of directors. Their oversight of cybersecurity practices (such as staffing levels and competencies, risk management, tools, and third-party providers) requires unfettered information (more accurately conveyed as the ground truth). CISOs buried in the organization are structurally challenged to convey this ground truth to the very principals who need this insight.

The empowered CISO requires skills in combinations that are frankly hard to find and provide a limiting factor on this approach. This difficulty is one of the reasons why there is intense competition for seasoned and qualified CISOs in the market today. The empowered CISO must possess technical acumen across a variety of technologies (e.g., OT, IoT, programming environments, microservices, AI (think ChatGPT and other large language models) and platforms (think modern cloud services) and couple this requisite technical knowledge with a deep, organization-wide understanding of risk management and privacy as well as legal and regulatory obligations.

To succeed, the empowered CISO needs to unambiguously understand the strategy of the organization, the information and data the organization handles, its lines of business and stakeholders, and the organization’s overall risk appetite. The empowered CISO must also have solid interpersonal skills to work with colleagues who may view cybersecurity and associated controls as an impediment to action. The CISO becomes the advocate in chief of good cybersecurity practices, practices that are aligned with organizational strategy and initiatives.

What does this translate to for day-to-day activities? First, it means that the CISO needs to be seen frequently by non-IT members of the organization. An empowered CISO meets regularly with peers and department heads to understand their practices and the needs of their teams from more than a cyber-specific perspective. As part of this management by walking around, the CISO learns about the organization’s initiatives, stakeholders’ objectives, shadow IT, non-IT sponsored applications, and key vendor relationships. Effectively, the CISO becomes versed in the myriad dependencies and risks that are embedded in the organization’s operating environment. This ground truth provides essential context for the CISO’s cybersecurity activities. Equally important, having a highly visible CISO provides informal but critical opportunities for security training. These ad hoc discussions offer a level of knowledge transfer rarely matched in more formalized security training efforts within an organization.

The empowered CISO functions as an advisor within the firm. As such, the empowered CISO will weigh in on critical, potentially non-IT decisions, including vendor selection (minimally, guidance on vendor-specific due diligence), data classification and treatment, and other activities that could impact the confidentiality, integrity, and availability of critical systems supporting the organization. CISOs in this new role need to be highly effective communicators with considerable powers of persuasion when formal authority is not entirely commensurate with the cybersecurity requirements at hand. Stated differently, the empowered CISO needs to have the respect of colleagues within the organization to influence business decisions in a manner that is consistent with cybersecurity objectives, but that does not appear to be undermining, delaying, or interfering with the organization’s agility. These soft skills and influence usually require time to develop. CISOs must have the time and organizational commitment to grow into their roles.