Defining the Role of the CISO

Defining the Role of the CISO
Author: Robert Putrus, CISM, PMP, PE
Date Published: 28 March 2019

Organizations have diverse understandings of what digital security is and is not. As a consequence, they wrestle with who is responsible and who is accountable for digital security. This further complicates the question of whether the chief information security officer (CISO) position ought to be considered and instituted. CISO positions and responsibilities are greatly unsettled because digital security crosses many aspects of enterprise transactions, challenging if it is even possible to place boundaries on the responsibilities of the role.

Do organizations expect the CISO to be a technology wizard, business savvy or a hybrid of both? Do organizations expect the CISO to be the responsible and accountable person in securing the computing environment and informational assets in the enterprise? Should the CISO be part of the executive team, or should the role be confined within the IT group?

The subject of digital security within an organization creates a dilemma within the executive team with regard to defining the CISO role within the organization. There are several key gaps between what senior management may want or expect from the cybersecurity function and how far-reaching the responsibility of the CISO role ought to be that can be identified, and it is important to understand how to bridge and mitigate those gaps.

The CISO can be involved in a wide spectrum of responsibilities depending on the organization’s size and/or the lens the executive team looks through for digital security.

In my recent Journal article, I stated several gaps of understanding by CISO professionals as to how they perceive their role and what is the experience expected of them. The following are a few critical gaps:

  • Gap 1: Should the CISO transform from having technical focus to a business focus?
  • Gap 2: To whom should the CISO report?
  • Gap 3: How does the CISO justify a digital security portfolio?
  • Gap 4: Do organizations fully understand digital security functions?
  • Gap 5: Is the CISO an IT function?
  • Gap 6: Do the cloud and mobility present challenges?

Since the CISO position is being promoted to report higher in the organization chart, a greater emphasis is being placed on the CISO role and the expected skill level of those filling the role. It has moved the skill of the CISO from technical implementer of technology to one of business focus and the ability to oversee digital security as a vital business unit to justify its relevance and demonstrate the return on investment to the enterprise’s bottom line.

Additionally, enterprises are evolving to become risk-based organizations. This requires transformation of the enterprise culture to a risk-based culture, where digital security is the responsibility of all the employees of the enterprise.

However, such cultural transformation has put greater pressure on the CISO to be a trusted advisor who operates as the integrator of the enterprise business units and a relationship builder. Digital security is becoming the bridge to integrate the enterprise products and services with the enterprise business functions.

Read Robert Putrus’ recent Journal article:
The Role of the CISO and the Digital Security Landscape,” ISACA Journal, volume 2, 2019.