And technical skills, he added, while key to the “functional” success of a CISO, “do not lend themselves well to the business acumen and communication skills needed to work with your typical C-suite today. The main shift needed is towards thinking in terms of risk, not technology, and how this risk relates to various aspects of the business.”
Christiansen agrees, to the point that he said the job is getting a different title. “The role of the CISO is evolving to the chief information risk officer (CIRO),” he said. “The CIRO has a much broader and impactful responsibility than the CISO of the past and is a true member of the C-Suite.”
That evolution, experts agree, should also help reduce or even eliminate the perception of the CISO as a technocrat who enforces rigid security policies that other C-level executives view as barriers to progress and productivity.
According to Lyons, CISOs should use successful CIOs as models. “They need to learn how CIOs have made technology a strategic component of every aspect of business today and apply that to cybersecurity,” he said. “CISOs can’t just live in the SOC. They need to understand the entire enterprise and the flow of information across their organization.
Christiansen said some of it comes down simply to, “understanding the culture of the company for which they work,” such as whether it is “risk averse” or willing to take risks, and also to learning what are the CEOs top objectives for the year.
“Successful CISOs are able to relate each project they do to a business initiative and openly discuss how their security program contributes to revenue and the bottom line of the company,” he said.
Chris Wysopal, cofounder and CTO, Veracode
Wysopal said while training is mandatory, “it will ultimately come down to the effort CISOs are willing to make to adapt to new environments. There will be those who ‘wash out’ for sure, and that’s a natural aspect of this sort of role evolution.”
But he added that, “the transition shouldn’t be solely on the CISOs shoulders,” given how crucial an effective security program is to any enterprise. “The C-suite already has a wealth of ability in the skillsets needed by the CISO, and they should be helping that person learn the ropes,” he said.
“An effective CISO is a powerful addition to the leadership of any company, and it’s in the best interest of everyone to foster growth that leads to this.”
That transition is expected to take some time, however. “The stereotype of security staff focused on securing the data rather than enabling the business, like any stereotype is hard to shake,” Christiansen said.
Sign up for Computerworld eNewsletters.