Déjà vu for the CISO
When companies first created the position of chief information officer in the late 1980s and early ‘90s, the person who filled it was the “geek-in-charge,” rising through the ranks of the information systems department to become its leader.
Back then, when technology functioned as a tool to aid worker productivity and records keeping, having a tech specialist in the CIO role made sense. Who better than a geek to take charge of system maintenance, upgrades and troubleshooting?
Then came the Internet, and everything changed. Technology moved from a supporting role to a starring one. Computers became essential to every aspect of doing business, from internal communications to customer engagement, to advertising and marketing, to sales. As tech and business became inextricably intertwined, the CIO’s role began to change, as well.
Does this tale sound familiar? A similar scenario is playing now with chief information security officers. Often beginning in IT and rising to the upper echelon of security and risk departments, CISOs in recent years have seen information security take on a crucial role in business operations. Hearing the CIO story ought to seem familiar to the modern CISO. What lessons can we learn from it?
JR Reagan writes regularly for FedScoop on technology, innovation and cybersecurity issues.
Recognizing the importance, and potential, of technology to their organizations, a growing number of boards of directors have invited CIOs to join their ranks in recent years. Offered a seat at the table with the organization’s top executives, gaining a voice in key business decisions: The CIO, it seemed, had come of age — as is happening with the CISO today.
But for many CIOs, reality fell short of expectations. When they spoke, no one listened. Or, worse, they didn’t know what to say. Removed from their familiar world of RAM and bytes and system upgrades and MS-DOS, these CIOs lacked the business acumen to speak the board’s language. Many couldn’t read a profit-and-loss statement.
Ditto for the CISO. For many of us, firewalls and viruses and Trojan horses are the mainstays of our profession: We can talk endlessly about spyware, authentication and encryption while the eyes of our fellow board members glaze over. And when it comes to justifying new cybersecurity expenditures by demonstrating how they’d add value to the business? Often, we can’t — because many of us don’t know how to think like business people.
It’s never too late to learn, however, as the CIO’s story proves. As the demands of the job have changed, the savvy CIO has adapted, too, acquiring new skills via training or mentoring and learning the mindset, and language, of business. Many developed partnerships with others internally and externally, and began to think creatively about how big data, cloud computing, social media and other technologies might enhance the organization. Business-oriented CIOs now sit firmly in the proverbial catbird seat, wielding influence, highly valued and very much in demand.
As existing technologies evolve and new ones emerge at a dizzying pace, boards increasingly look to the CIO for solutions, strategies, and innovations. In its “State of the CIO” annual reports, the magazine CIO.com notes that, in 2013, 39 percent of CIOs reported to the CEO; in 2014 and 2015, 44 percent did so. Sixty-four percent said their CEO consulted with them directly about strategy. The successful CIO is no longer just a tinkerer, but a creative thinker, as well.
And the rewards are significant. Yes, the CIO’s job is more demanding than ever, but 85 percent of respondents said it is also more important to business. As a result, CIO earnings are up: In 2014, CIOs were among the five highest-paid officers at 31 Fortune 500 companies. Janco Associates’ annual “CIO Millionaire Club” survey found 40 CIOs whose total compensation package topped $1 million this year, up from 15 who reported comparable earnings in 2013.
The CISO’s role stands to follow a similar trajectory. Analysts predict a transformation in the position from technology-focused to business-focused, and warn that those who fail to adapt may lose their jobs. With recent data breaches of unprecedented scope costing hundreds of billions in losses and untold amounts in reputation and brand, organizations recognize that protecting their data and that of their workers and clients is now essential to business success.
To keep the business safe, boards of directors are realizing they need the CISO’s perspective. A growing number of major corporations are adding cybersecurity experts to their boards, the Los Angeles Times reported in an Aug. 16 article. Like the tech-oriented CIO, however, many CISOs remain behind the business curve. A recent study from market research firm Forrester reports that, among CISOs at large corporations, 52 percent report to IT. The number of those on boards, or reporting to the CEO, is growing: 12 percent reported to the board in 2014 as opposed to 5 percent in 2012; 23 percent reported to the CEO/president last year, up from 18 percent in 2012.
As with the CIO, however, well roundedness is proving essential for the CISO. One major corporation searched six months for a CISO with business experience, someone who could ramp up security without risking the bottom line. So great is the demand for top-notch, business-savvy security officers that pay is skyrocketing. In the last half of 2014, Fortune 100 companies increased CISO compensation by one-third, topping $1 million in certain industries.
Hindsight is 20/20, it’s said — foresight, rarely so. We in cybersecurity have the advantage of the CIO’s experience to illuminate our path to the top, and show us what we must do to stay there. How will you meet the challenges facing tomorrow’s CISO?
JR Reagan is the global chief information security officer of Deloitte. He also serves as professional faculty at Johns Hopkins, Cornell and Columbia universities. Follow him @IdeaXplorer. Read more from JR Reagan.
