How Is The CISO Role Changing?A Perspective on the Changing Circumstances for Security Leaders
India is making substantial investments in establishing cybersecurity capability and capacity. However the massive challenge faced in terms of skilled manpower is the same as that faced by other countries around the world. Moreover, the increasing sophistication in the threat landscape means that most security professionals today find they need to constantly reskill and retrain, lest they fall behind. The CISO falls squarely in this category.
Those organizations lucky enough to have CISOs, for instance, are trudging on. But many that have the vacancy and/or have felt the need to create the role, have their job cut out for them. CISOs are increasingly leaving the job market for roles that keep them engaged, have better pay and constant, varied and challenging work with MSSPs or consultancies, as per a few practitioners I spoke to on a recent trip to New Delhi. (Also See: MSSPs, The Preferred Route to Skills Challenge)
It's fair to say that landscape has matured quite a bit, with many organizations in non-regulated spaces feeling the need for, and instituting the CISO role. However, in a recent discussion with one prominent industry observer, I was surprised to hear him say that security is still very much the CIO's baby.
His contention is that in majority of the organizations, except where there is regulatory mandate, CISOs are reporting into CIOs, despite the traditional conflict of interest scenario this creates. The real test of security as an industry is outside of regulated verticals, he says. "Leave out IT/ITES, Telecom and BFSI, and what do you have?" he says. "Manufacturing, retail, hospitality, healthcare - this is where the real change needs to happen."
Most CISOs in the industry today are at heart network admins, he says. They have a very myopic perspective to business. What they need from the CIO today is to understand the business touch points and how security matters to the business. As Bruce Schneier says, security in and of itself is never going to work. (Related: Breach Response: The New Security Mandate)
Very few Indian CISOs today have the maturity to interface with business and enable it, he believes. "A CISO left to his devices is a dangerous guy to have around in the Indian context - his paranoia will ensure the business gets nowhere." By and large, the CISO exposure to the business world is small - this is changing, but not fast enough, he believes.
The question is, will this change happen? Is there enough time?
While the CIO community has had a long time to learn the ropes, how long will it be before the CISO picks up similar skills? How can the network admin start talking business? The analyst I spoke to believes that with the CIO community itself struggling to stay relevant - in spite of the wholesale digitization that is happening all around - the CISO role may not remain as it is now, for long. (Also See: IDRBT's Ramasastri: Strengthen the CISO Office)
How Will CISOs Continue?
Last year saw many well-known CISOs in the industry step down and take up roles as consultants, advisors and with service providers and vendors. There is a sense in the industry that where in-house skills and teams are hard to set up and maintain, going the MSSP way makes a whole lot of sense, because the manpower is highly skilled, current, hands-on, and best of all - available on demand.
It is no surprise then that trends like virtual CISO, MSSP driven security etc., are rapidly gaining prominence in the Indian market. For long in the Indian market, the CISO role never gained prominence. In fact, four years ago, if I needed to go look for a CISO to talk to, it would be in the regulated industries like banking and telecom. IT/ITES, by nature of its business and expertise also caught on early. (Also See: The New Demand for Managed Services)
The job of the CISO is finite in many industries, which is where the concept of a virtual CISO is a great one, the analyst says. Moreover the training and skills CISOs need, have undergone a fundamental change, and many companies are not able to justify the expense and effort required to retrain and reskill CISOs and security teams. Not when this can be managed much easier by enlisting the help of a service provider, who does have these resources, the plethora of clients and use-cases, and the volume of clients to stay relevant.
The virtual CISO is going to take over in a huge way. How, then, does a CISO survive in the company and justify his role? (Also See: The Business Case for Virtual CISOs)
So to sum up, 1) CIOs are still calling the shots in security in most organizations, 2) CISOs need the CIO interface to connect with business, 3) CISOs do not have the luxury of the same trajectory that the CIO role took over the last decade or more to mature in a business role, and 4) it seems they might not get that chance and all, with organizations finding it expedient and effective to hire expert service providers to do security, managed by the CIOs office, who are past masters at vendor management anyway.
This is a bit counter intuitive, considering how important security is increasingly getting. I for one will stayed tuned for the direction this evolution is set to take. (Related: The Evolving CISO)