{"id":2216,"date":"2020-01-24T03:31:12","date_gmt":"2020-01-24T00:31:12","guid":{"rendered":"http:\/\/kusuaks7\/?p=1821"},"modified":"2024-01-24T13:00:32","modified_gmt":"2024-01-24T13:00:32","slug":"towards-a-new-profile-for-the-ciso","status":"publish","type":"post","link":"https:\/\/www.experfy.com\/blog\/bigdata-cloud\/towards-a-new-profile-for-the-ciso\/","title":{"rendered":"Towards a New Profile for the CISO"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

A decade of firefighting has taken its toll on the CISO profession<\/h2><\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tThe role of the chief information security officer\u00a0(CISO) is changing. If that was ever the case, it can no longer be seen JUST as a technical role.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tIn some industries, it is being challenged by the world-wide tightening of regulations around privacy and the emergence of DPOs<\/a> and other related roles.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tEverywhere, it is being challenged by the non-stop avalanche of cyber-attacks and data breaches of the past decade, which have raised the visibility of cyber security to Board level, but at the same time have also prevented many CISOs from getting out of fire-fighting mode.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tSenior executives are increasingly endorsing a \u201cwhen-not-if<\/a>\u201d paradigm around cyber-attacks and are demanding fundamental change and action beyond day-to-day fire-fighting, often in exchange of very significant investments around security.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\nThey are expecting the CISO to lead such programmes of work, but many CISOs have never been recruited or trained for such a challenge, under such level of scrutiny.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tVery often, it is about addressing problems rooted in a decade of lip service or under investment around security, and it involves a true transformation of many business practices across the firm.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tYou don\u2019t become a transformational leader overnight, in particular if your background, your skills and your core interests are centred around the more technical aspects of cyber security. Nothing wrong with that, and while the focus was on fire-fighting<\/a> cyber-attacks all the time, those would have been valuable qualities.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tBut as the focus shifts towards transformation and execution, the ability to influence across silos and to understand the true nature of the business and the more transversal aspects of security, becomes paramount. Those are rarely attributes of a native technologist, and they are not attributes you develop through the constant fire-fighting of technical problems.\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tSo parallel to the \u201clost decade<\/a>\u201d of cyber security and reflecting it, there is also a lost decade for the CISO profession. A lost decade during which many have hopped from job to job, collecting higher and higher salaries for their technical firefighting skills, but without encountering the terrain in which to develop true enterprise-level leadership and transformational skills.\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tAs senior executives turn a page and we enter \u2013 possibly \u2013 an execution-dominated decade around cyber security, many CISOs are just not equipped to lead.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tLet\u2019s say this one more time: Just throwing money at cyber security problems won\u2019t make them disappear overnight. Remediating issues rooted in a decade of adverse prioritisation by the business will cost money, but it will also require time and in many cases, relentless drive to change mindsets.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tWho should do this, if the CISO can\u2019t? \u2026 There are broadly 2 types of options:\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tOrganisational models may need to evolve<\/a> to allow a broader CSO type of role to emerge in large firms, encompassing security at large, continuity and privacy, with the CISO role retreating back to its technical roots. This would by itself attract a different calibre of individual into each role and such rebalancing of skills could be key to the success of large-scale cyber security transformation programmes.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tAlternatively, the profile of the CISO needs to change to adjust to the imperatives of the \u201cwhen-not-if\u201d era:\u00a0 It becomes essential to start prioritising leadership skills over technical skills and distribute roles across a structured function, instead of looking for \u201cunicorn<\/a>\u201d profiles: Nobody can be credible on all fronts all day long from the Board down, and horizontally across all functions and geographies of the business. Those profiles don\u2019t exist and pretending otherwise is just setting the CISO to fail.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"

As senior executives turn a page and we enter – possibly – an execution-dominated decade around cyber security, many CISOs are just not equipped to lead. The profile of the chief information security officer  (CISO) needs to change to adjust to the imperatives of the “when-not-if” era:  It becomes essential to start prioritising leadership skills over technical skills and distribute roles across a structured function, instead of looking for “unicorn” profiles: Nobody can be credible on all fronts across all functions and geographies of the business. Those profiles don’t exist and pretending otherwise is just setting the CISO to fail.<\/p>\n","protected":false},"author":529,"featured_media":3474,"comment_status":"open","ping_status":"open","sticky":false,"template":"single-post-2.php","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[187],"tags":[100],"ppma_author":[3178],"class_list":["post-2216","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-bigdata-cloud","tag-fraud-amp-risk"],"authors":[{"term_id":3178,"user_id":529,"is_guest":0,"slug":"jean-christophe-gaillard","display_name":"Jean-Christophe Gaillard","avatar_url":"https:\/\/www.experfy.com\/blog\/wp-content\/uploads\/2020\/04\/medium_b55e5afa-fb86-428a-a054-3be0451df2a4-150x150.jpg","user_url":"https:\/\/www.corixpartners.com","last_name":"Gaillard","first_name":"Jean-Christophe","job_title":"","description":"Jean-Christophe Gaillard\u00a0is Managing Director and Founder at Corix Partners. He is also a Non-Executive Director with\u00a0Strata Security Solutions<\/a>, a specialized cybersecurity firm. He has been co-president of the Cyber Security group of the\u00a0Telecom Paris Tech alumni association<\/a>\u00a0since May 2016. He is the author of \u201cCyber Security: The Lost Decade<\/a>\u00a0\u2013 A Security Governance Handbook for the CISO and the CIO\u201d, He contributes regularly to\u00a0The Digital Transformation People<\/a>,\u00a0Business 2 Community<\/a>, and\u00a0IoTforAll<\/a>\u00a0platforms, as well as the\u00a0Business Transformation Network<\/a>. He is an expert contributor on the\u00a0CIO Water Cooler<\/a>\u00a0and has previously published articles on\u00a0InfoSecurity<\/a>\u00a0Magazine, \u00a0Computing<\/a>, the C-Suite.co.uk,\u00a0Info Sec Buzz<\/a>\u00a0and the\u00a0IoD Director<\/a>\u00a0websites."}],"_links":{"self":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts\/2216","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/users\/529"}],"replies":[{"embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/comments?post=2216"}],"version-history":[{"count":5,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts\/2216\/revisions"}],"predecessor-version":[{"id":35619,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts\/2216\/revisions\/35619"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/media\/3474"}],"wp:attachment":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/media?parent=2216"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/categories?post=2216"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/tags?post=2216"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/ppma_author?post=2216"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}