For years, many have seen the Chief Information Security Officer (CISO)[1] as only a technical advisor to the C-suite–the CISO counts vulnerabilities and assesses patching status, provides a progress report on the same to other executives, and then leaves the business risk questions to strategic advisors and decision-makers. If this ever was an accurate description of what a CISO does – or should do – it is no longer sufficient. Systemic shifts within and outside of the business environment have changed the role and responsibilities of the typical corporate CISO for good.
Nonetheless, a central and constant objective of all CISOs is still to protect the security, confidentiality, integrity, and availability of an organization’s information and infrastructure, and, by extension, its entire operations. Because of growing corporate reliance on information technology systems for business operations; the rising threat of cyberattacks from criminal and nation-state actors; and expanding institutional and positional legal liability, the CISO now faces a more complex set of challenges internally and externally. Unfortunately, they often do so with the same limited set of authorities and protections they had before most organizations viewed cybersecurity as an executive enterprise risk level concern.
Too often there is a fundamental divergence between the responsibilities CISOs bear and the authority they are given to fulfill those obligations. This divide is exacerbated by a lack of understanding among board members and senior executives regarding what CISOs do, the scope of their authority, and how their role supports organization-wide missions. Together, these structural barriers make it more difficult for CISOs to achieve their core objective and for organizations to protect their data, operations, and achieve their business mission.
This report seeks to provide context on the current expectations and responsibilities placed on corporate CISOs; describe how those responsibilities reconcile with the authorities CISOs generally have and realities they face on a day-to-day basis; and provide high-level, structural recommendations on how business organizations can ensure that their CISO is equipped to protect business systems and achieve institutional objectives in this changed environment. The report is designed to be accessible to the general public, and also to be a tool for CISOs, corporate executives, and board members to assess whether their organization, and their CISO, is structured to be able to address the range of cyber-related risks entities grapple with on a daily basis.
