A lot has changed since the early years, when enterprises first began embracing the CISO position. Back then, the CISO role was primarily a technical one: control user access, secure the databases, find and patch vulnerabilities, keep the malware out, and eventually to help build secure websites and eCommerce platforms. In those days, most of the highly proprietary data resided within the local area network, the data center, or within PCs and notebooks.
We didn't know it then, but information security was a more straightforward technical challenge than it is today.
One of the things that dramatically changed the role of the CISO at first was the rise of privacy laws such as GLBA and HIPAA, which required the first waves of regulatory compliance efforts, reports, and the ability to show that security privacy compliance measures were in place to outsiders.
Today, the CISO plays a more central role in helping to guide enterprise risk management, governance, and regulatory compliance, in addition to all of the traditional technical security functions.
No easy task, to be sure.
The shifting threat landscape
The very natures of the threats CISOs fight have also dramatically changed. At one time, skilled adversaries were far fewer - and still fewer attackers were motivated by criminal profit. The financial gain wasn't yet readily apparent, or so easily had. But that would change and criminals would take notice.
Take a look at some of the most recent and damaging security breaches in Taylor Armerding's The 15 worst data security breaches of the 21st Century. There, he looks at many, but not all, of the significant breaches that struck retailers, tech companies, financial services, entertainment providers and more in the past decade and a half.
And few would doubt that "security breaches at companies like Target and Neiman Marcus have placed [CISOs] these professionals on the front line of defense - and generated significant attention from the C-suite and boardroom," as Matt Comyns, global co-head of the cybersecurity practice at Russell Reynolds Associates said inside this question and answer article, Inside the changing role of the CISO.
There is no doubt about it: Enterprises and governments everywhere now know that if they are going to succeed in the years ahead, they are going to have to do so by ensuring that their data and applications and information systems are resilient and secure. But just as threats have changed, so has the nature of the business-technology systems they defend.
From virtualization to public, private and hybrid cloud architectures, cloud and web-centric applications, to the speed and agility with DevOps as well as the continuous integration and continuous delivery pipelines, the systems enterprises build and how they build them is changing so very rapidly.
Sign up for Computerworld eNewsletters.