Evolution of the CISO’s role

Raghu Nandakumara at Illumio describes how the CISO’s role must change to match the new reality of cyber-risk

 

Driven by Industry 4.0 and the growth in IoT devices, the convergence of IT and OT is ushering in a new era of cyber-security. The relentless convergence of different systems means previously separate operations are increasingly interconnected and interdependent. Security risk can no longer be neatly compartmentalised, and threats are now universal to the entire enterprise.

 

Yet the structure for security leadership and oversight has typically failed to keep up with these fundamental changes.  

 

We need to see the roles of security leaders redefined to match the new reality of cyber-risk. The traditional Chief Information Security Officer (CISO) focused primarily on the realm of IT, must evolve into the Chief Security Officer’s (CSO)’s broader responsibilities. 

 

With cyber-threats capable of rippling across the entire organisation, this shift acknowledges the need for a unified leader and single view of security across all domains - physical, digital, and operational. 

 

The evolving role of security leadership

Not long ago, increasing awareness of security risks among business leaders was a major goal for the cyber-security industry. Fortunately, we have seen significant progress here, and cyber-security is now an increasingly prominent feature on the boardroom agenda. However, as cyber-risks grow, awareness alone is no longer enough.

 

The next milestone is transitioning from awareness to accountability, where leaders take ownership of security outcomes. We saw an interesting example of this recently when Microsoft CEO Satya Nadella requested a reduction in his pay package to account for various security failings at the company.

 

It’s admirable that he actively raised the issue and took responsibility as chief executive. Such actions signal a new era where cyber-security is recognised as a collective leadership responsibility, not just the remit of security teams.

 

This cultural evolution aligns with the rise of the CSO and their remit for overall resilience. This is the shift from awareness to accountability we need to see. Cyber-security is no longer confined to the realms of IT. Ransomware raised the stakes; now it’s not just about protecting IT systems but ensuring the business can continue to operate when an attack hits. At the board level, this means not only recognising cyber-security risks but taking ownership and showing that responsibility extends to the C-Suite.

 

The CSO’s broader responsibility for cyber-risk can establish greater influence in the boardroom and ensure that security is woven into the business strategy, driving accountability throughout the rest of the company. 

 

This can also help to ensure that security investments focus on delivering a measurable reduction in risk rather than the common tendency to go after fashionable IT security trends that deliver good optics but no measurable resilience gains. By driving substance over surface-level fixes, the CSO sets the tone for a proactive, responsible approach to modern security challenges.

 

A shift from IT security to resilience

The transition from CISO to CSO brings significant organisational changes, particularly in how security leadership is structured and integrated. Embracing this model means redefining roles and reporting lines to ensure the CSO has authority across all cyber-risk domains. This alignment is critical for breaking down silos and fostering a unified security strategy and will require strong communication between security teams and leadership.

 

The CSO’s broader remit also presents an opportunity to rethink cyber-security strategy, streamline investments, and enforce consistent security across the business. For example, there is still a tendency to focus efforts on preventing and detecting attacks, which can leave organisations on the back foot when attackers find a way through defences. However, as the physical and cyber-security realms converge, organisations can’t afford not to invest in capabilities to enhance operational resilience and mitigate the impact of attacks. 

 

This is particularly vital in fields like manufacturing, energy, and other critical national infrastructure sectors with a large amount of cyber-physical systems. The convergence of traditional IT systems with operational technology (OT) epitomises the era where a single vulnerability can escalate into production delays and severe financial and reputational damage that can drag on for months.

 

Key to success here is visibility and segmentation. CSO’s will need to understand the flow of data throughout the extended asset attack surface and ensure they are taking steps to protect their Minimum Viable Operations (MVO). In simple terms, this means identifying the essential systems required for keeping the company functional and building defences around them to ensure continuity even while under attack. 

 

Importantly, this can only be achieved with an ‘assume breach mentality,’ along with the adoption of risk-based security models like Zero Trust. While IT security leads the approach, successful implementation requires significant buy-in and leadership from the top. This is where the CSO’s authority and sphere of influence are pivotal.

 

Securing the future

The shift from CISO to CSO marks a critical evolution in how organisations approach security. By unifying the oversight of all digital, physical, and operational risks, the CSO ensures that cyber-security is no longer an isolated function but an integral part of overall business strategy.

 

As systems become more interconnected, this role will be even more critical in ensuring resilience and minimising impact rather than just trying to reduce the probability of attack. 

 

---

 

 Raghu Nandakumara is Head of Industry Solution at Illumio

 

Main image courtesy of iStockPhoto.com and Andrii Dodonov