What Does a Modern CISO Look Like?

The Risky Business of a CISO (A Brief Explanation)

What’s hard to capture in security policies is the changing nature of risks, which are often unexpectedly different, as new bad actors enter the market every year.

The CISO will maintain the corporate risk register, which illustrates the amount of risk a business is carrying at any given point in time. They will manage this relative to the risk appetite of the business, and, over time, aim to reduce risk as much as possible.

The Past, Present & Future of the CISO

Ask a modern CISO about their role and the responses can be varied. They might be grappling with the headwinds of regulatory change, or the frameworks that impact their business from day-to-day. In a financial services business, for example, a CISO will prioritise security all the time, answering not only to an advanced threat landscape, but the demands of regulators. Compliance feels deeply tied into security issues, where new regulations like DORA, sweeping in from Europe, can reshape how we think about securing our business and its wider, tactical partnerships.

Other security professionals are losing sleep, anxiously balancing between securing a business against today’s biggest threats and keeping it sustainable and risk-free long into the future. Polled by CSI earlier this year, we learned that 93% of cyber security decision makers are kept awake at night worrying about security issues.

With such rapid change deep in the threat landscape, and with costs spiralling before and after a data breach, the role of the CISO is in transition. So, what do they look like now?

Nowadays, a CISO must proactively plan defences to avoid an incident and take reactive action if anything malicious  threatens a business; they act as internal policymakers as much as security consultants, they provide councel for the board, and train all kinds of users. This high-pressure duality about the role is a cornerstone in understanding the modern CISO.

Historically, CISO’s of the past have had the mammoth task of keeping information and security hardened against threats. At the highest level, the CISO identifies a business’ Achilles heel as it relates to cyber security, developing new solutions to remain resilient in the digital age. Certain responsibilities have remained the same over time: a CISO still works toward corporate objectives, advising on subjects such as compliance frameworks and  certifications exercises (ISO 27001, for example). A CISO is key in negotiating corporate alignment with core standards and benchmarks and, more recently, this has started to involve business continuity planning (or ISO 22301).

Where the role has matured, the conversations a CISO is having are now different: the nature of how a business protects itself online is increasingly concerned with resilience. The Financial Conduct Authority (or FCA), the major regulator for Financial Services Providers, has further tightened compliance around cloud services. In today’s nervous market, resilience is the new watchword for professionals who want to smartly build the right culture around security and risk within their businesses.

What Challenges are CISOs Facing?

The challenges a CISO faces are no different than the digital risks presented to businesses every day. Traditional boundaries, for example, have been eroded by the global remote workforce, where greater importance and urgency is on user controls and permissions. Post-pandemic, organisations only continue to de-centralize, complicating how easily traditional security tools can answer today’s more sophisticated attack types.

Further complications arise when you consider the mixed economy of technologies, users, and applications. Ultimately, the perimeters around a business are increasingly less defined and, therefore, harder to patrol with the right security products.

IBM’s report estimated that, in 2023, the global total for a typical breach reached $4.45 million (USD). This captures an increase in the costs associated with a data breach by at least 15% over the last three years – and it is worryingly expensive. Better yet, the “industry” of cybercrime is projected to cost world’s economy $8 trillion (USD) this year. The latest pattern in cyber-crime sketches out a landscape that is rapidly becoming more destructive and aggressive with how it attacks businesses and end-users. Businesses must plan for increasing threat varieties and attack sophistication.

Rogue Post-It notes with sensitive data, phishing campaigns where users are deceived in their busy inboxes, and even social engineering – attack types are diverse. The costly risk of breaches is well-documented, with the UK’s main watchdog, the National Cyber Security Centre (or NCSC), issuing regular advice and guidance in support of a mission to create a safer digital climate. Whilst the threat landscape is annually reviewed, a recent step-change in the role of CISO has changed the nature of security conversations.

The CISO & the Culture Around Security

As the modern figurehead for security, the role of CISO has matured so rapidly in recent times that it has even created a form of burnout in a market where skills shortages are already common. As the global climate transitions to deal with the costly fallout of a breach, often the pressure to prevent one in the first place can be felt by the CISO.

In the US, there’s another risk of a “Great Resignation” phenomenon sweeping through the security market. The irony that deepens is clear: the very role responsible for protecting a business and keeping it safe has, quite possibly, the least job security right now. With talent shortages disrupting recruitment, CISO and other security roles may be harder to fill.

In one study, a new anxiety pointed to financial liability as a possible fallout from a breach. Respectable outlet, Bloomberg Law, observed how the CISO has become a “target in civil and criminal cases involving data breaches”, which is symptomatic of an “Era of Heightened Liability for CISOs”.

CSI discovered how cybersecurity decision-makers lie awake at night worrying about organisational security issues. Limited or strained skills, resource shortages, and legacy or aging IT were all identified as the top concerns right now.

Meanwhile, a hardening cyber insurance market and soaring premiums (where businesses do not already suffer policy lockout) means that offsetting risk is even harder than before. There has been a long established anxiety that cyber insurance is not effective in covering the cost of a breach.

The burnout trend is reversible where CISO’s look to build security cultures that share out the responsibilities of minimising risks. This step-change happens away from technology and starts with this idea of empowering your ‘human firewall’ by coaching best practice into the daily lives of a business’ workforce.

As architects of policies and culture as it relates to security practice, resilience starts with consistency – or standardising security practice, learning it, retaining that information, and using it in our daily working lives.

Looking Ahead with the CISO

In the near future, the role won’t look the same on page. The title – Chief Information Security Officer – will likely transition into CIO, where information becomes the key asset and security is part of that remit.

As operations de-centralize, and an unhelpful abundance of security tools floods the market, the CIO will carry the responsibility of piecing resilience together cohesively, creating a clear and unified picture of security. Where IT has in the past conjured an image of stiff-collared worker navigating a puzzle of wires, bolts, and codes, modern security technicians won’t lose sleep over risk. Instead, two key step-changes will affect how the role of CISO modernises: security will become more shared laterally across an organisation; and consistency will become a sort of new baseline for security.

CSI Helps Protects Businesses

Like the modern CISO, our security consultants understand the challenges of the ever-changing threat landscape and regulatory frameworks. Whether you’re anxious about your existing security capabilities, or need help expanding your security resources and skillsets, we can help. If sleepless nights feel like an occupational hazard, talk to CSI today.

With support from our security consultants, we will watch and monitor your systems 24/7. For a no-obligation talk about your current security posture, please get in touch.