CISO: The ‘Inconvenient’ Role

Do you remember the times when the IT support team occupied the last (and sometimes the worst) workstation in the office? You were able to find them at the end of the hallway, among many cords, computers, and stuff we didn’t even know the purpose of. Fortunately, circumstances have changed for IT teams and for everyone in business.

If you pay attention to what IT teams represent now (in most modern organizations, although we still can find exceptions), you will find a very different scenario: the chief information officer (CIO), a leading role in IT, has gained a whole new level of importance. They make important decisions on what the digital transformation should be and help their organizations to successfully meet the requirements of Industry 4.0. They quickly solve core business problems and have led the efforts in automating critical processes.

The ambivalence of this situation is that we have a happy problem: digitalization has not always developed at the same rate as cybersecurity and the lack of experts in this area has forced CIOs to assume both roles. Sometimes, business requirements demand that a process be virtualized ASAP, leaving no time to analyze cybersecurity elements. Do you remember those enterprises that before the pandemic did not have e-commerce? The interruption of face-to-face transactions due to COVID-19, forced many organizations to rapidly develop online versions of their physical activities, but only a few of them stopped to think about the security aspects of that decision because time is money. 

But how do you deal with the decision between security and digitalization if the same person is in charge of both things? We absolutely need another role.

Recently, many organizations have created a new C-level office whose head is called the CISO, which stands for Chief Information Security Officer.

This role requires not only technical skills to lead the defensive strategy but it also demands some specific soft skills. Cybersecurity must be seen as a business enabler. As an example of how the perception of IT should change, cybersecurity should be separated from IT decisions and it should be considered as a strategic tool to enhance the entire organization.

The CISO should not only develop a strong security strategy but they should assure that the organization as a whole is capable of overcoming an attack. That’s why security information is a broader concept than cybersecurity. And since every single part of an organization works with data (I personally think that human resources are the most important asset, and right after them, comes information), the CISO must be familiar with every single critical process — legal, financial, IT, e-commerce — and they should analyze those processes through a risk lens. A CISO practically sees risks with every step they take, and if not, they are probably missing something.

This is precisely why the CISO has such a particular and hard-to-find professional profile. They have to be able to understand what each area does and needs, and according to that, develop a transversal strategy that keeps the organization safe and resilient. And sometimes, during conversations, the CISO might find that their position and natural way of detecting and preventing risks can compromise the way things have been done. So, another soft skill for this position should be good conflict management. They have the enormous challenge of making people understand that just because things have always been done in a certain way, does not mean that they are being done securely. But this big shift has to be executed without jeopardizing business continuity. If the CISO is good enough to accomplish this, slowly but surely the critical processes will start to become increasingly secure.

At this point, you may be thinking: well, I have not read anything new! Congrats! In that case, you are part of a rare and small group of people who are familiar with the necessity of a CISO. According to PwC, in 2020 in Mexico, 13 percent of leading cybersecurity roles report to the CEO, while 32 percent report to the CIO or chief technical officer (CTO). Maybe these statistics have changed over the last two years but the perception is that if they have, they have not changed that much.

In my opinion, the most important factor in a cybersecurity ecosystem is that the CISO should report directly to the CEO and should have the same C-level as the CTO or CIO to avoid conflict of interests in IT decisions.

Second, it is necessary to increase the number of cybersecurity specialists and train them not only in technical aspects but in strategy, legal, compliance, supply chain, e-commerce and many more core business processes. It has been said that for this year, Mexico is in need of 2 million cybersecurity experts, and the gap is hard to close. This means that plenty of organizations can’t (and won’t) find people who fulfill the requirements for a CISO position, which makes them super-vulnerable to cybercrime.

While training people in ethical hacking, forensics, pen testing and hardening can be relatively easy and fast, developing the hard and soft skills to become a CISO can take many years.

If the need is clear, why do we lack so many experts? Although salaries are high for cybersecurity positions and each day, more organizations are becoming aware of the urgent need to protect themselves from breaches, they still struggle to find people. How do we close the gap between supply and demand? First of all, we have to attract talent right out of college. In my particular point of view, as a physicist who has fallen in love with cybersecurity, we should look for science students who may be interested in cyber and change the narrative that this area is the exclusive domain of engineers. Physicists, mathematicians and chemists are trained to solve problems through a multidimensional approach. Discovering in my early 20s that cybersecurity was a potential career for me has allowed me to hold diverse positions in IT and cyber. Now in my 30s, I still have so much to learn but I have a clear path. What if my physics colleagues had come to the same discovery at the end of college? What if we open the conversation among students and start attracting other profiles to cybersecurity? This is a pending but urgent task for everyone, since we all take part in the cyber ecosystem and we are all interested in fighting cybercrime, no matter from which trench we do it.