As the end of Boney M's hit song, Rasputin, proclaims, 'Oh, those Russians'. The land of vodka and nesting dolls has long been associated with cybercrime, and we can even credit the former USSR with the spark that launched the CISO.
The CISO's role has changed from being an internal systems and processes-focused position to a more enterprise-wide role.
Derrick Chikanga, Africa Analysis
Back in 1995, Russian hackers successfully breached Citibank's systems, stealing a then-staggering $10 million. It was a sensation at the time, and Citibank spared no expense to set things right. According to Steven Katz, the expert they brought in to help, Citibank's bosses told him: "You know we had the hack so you have a blank cheque to set up anything you want." Ironically, they waited a month after hiring him before announcing the breach, which nearly tanked Katz's career. But fortunately for him, the frivolity of reputation was nothing compared to the growing onslaught of cybercrime, and today, Katz is regarded as one of the all-time greats in the cybersecurity world. He's also the first person to be anointed as a chief information security officer, or CISO.
A lot has changed in the 26 years since. The sophistication of cybercrime has blown up beyond anyone's expectations, and even commoditised ‘script kiddie’ attacks can now be very dangerous. Mild computer viruses were replaced by insidious worms and the broadside of ransomware. And criminals are grabbing much more than $10 million.
The CISO today must understand the risks: reputational risk, financial risk, compliance, and user and customer satisfaction.
Mark Walker, IDC
Today, cybercrime is a business rivalling illegal drugs and arms-smuggling. It has attracted organised crime, shady state actors and pariah countries. It's become a way to destabilise opponents and sow chaos for the sake of it. And it's a real problem for a world that is shifting towards digital and data paradigms.
The new CISO
The CISO role has changed considerably as a result. Even a decade ago, long after Katz first gained the title, many companies didn't have CISOs. Their security was then primrily an operational concern handled by someone in IT.
"The CISO's role has changed from being an internal systems and processesfocused position to a more enterprisewide role, which ensures the CISO gets the cooperation of all stakeholders prior to pushing forward their agenda," says Derrick Chikanga, technology analyst in Emerging Markets at Africa Analysis. "CISOs are now required to coordinate with various stakeholders in an organisation and understand their needs prior to implementing any security changes." We can narrow the shift down to the title itself, says Mark Walker, IDC's associate vice president for Sub-Saharan Africa: "The CISO is an executive with that 'C' in their title. This defines responsibilities that relate directly to the business. As part of the C-suite, your primary objective is to see how you can contribute to the business’ wellbeing. The role has become a lot more sophisticated. The CISO today must understand the risks: reputational risk, financial risk, compliance, and user and customer satisfaction."
Regulatory pressure has also raised the CISO's profile. Laws such as the Protection of Personal Information Act place substantial responsibilities on chief executives and boards, who look to the CISO not only to give guidance, but also develop security strategies.
Says Chikanga: "Broadly speaking, the main priority of the CISO is getting internal buy-in to their vision for the organisation from a security perspective. Since the onset of Covid-19, most CISOs have had to strengthen their cyber-defence capabilities to counter the looming threat of potential cyberattacks. However, during the process of strengthening their cybersecurity, CISOs need buy-in from the entire organisation and have everyone on board."
In some cases, regulation even puts CISOs in the firing line: new guidance from South Africa's Information Regulator notes that companies need to assign an information officer in compliance with the Promotion of Access to Information Act. These roles have to be localised, and CISOs are sometimes designated as that officer.
A bridge
Yet, a CISO isn't entirely divorced from the technical world. At the cutting edge, you might find CISOs that, like chief information officers, have evolved into businesscentric positions where they sweat the high-level stuff. Yet most CISOs still get involved with day-to-day security operations, and it's their technical expertise that helps distinguish them to their fellow officers.
Walker says the technical role is where the CISO shows their colours. “They're to be able to say, 'This business information, this data is critical and highly sensitive.' They lead access and permission discussions."
In fact, the modern CISO might not be leaving the technical world behind. They act as the business' bridge between its security needs and technical capabilities. It might be more apt to say the CISO's role has expanded to now include the rest of the business in security considerations.
"Managing various stakeholders within an organisation and bringing everyone on board to share the vision of the CISO is fast becoming an important element of the role's responsibilities," says Chikanga.
This point brings us to another consideration: how should we evaluate CISOs? It's not helpful to assume that if there are no breaches, then the CISO is effective. Nor is it fair to say that if there was a breach, the CISO has failed. Security's realities are too complicated for such glib evaluations.
The topic is a source of debate, leading to various benchmarks and expectations from different quarters (see sidebar: What is an effective CISO?). Walker notes that we mustn’t forget the seniority of the position.
"It's more about how you would evaluate any other C-level executive contribution to the organisational performance. You're not talking here about a middle person with a clear set of KPIs. The KPIs are more generic. How well is security strategy being implemented? What are the relationships with security vendors? Where is customer satisfaction in terms of ease of use?"
Here's a thought: perhaps much of it is up to the CISO to define. If anything distinguishes the CISO of today, it's how they contextualise security for the business, develop the internal relationships with other stakeholders to achieve security that works for them, and several other 'soft' engagements that will link security to business value.
These are uncharted waters. We speak of the modern CISO as a mainstay, but it's still an emerging role. Organisations have barely begun to wrap their minds around what the cybercrime threat represents and what they can do about it. The CISOs who can keep sight of that with words and action will be the industry's rising stars.
Share