Industry Trends

Today’s CISO is Shifting Toward Strategic Business Enablement

By Jonathan Nguyen-Duy | September 11, 2018

Businesses and government agencies of all sizes are experiencing cyber attacks that are growing in both frequency and complexity. Cybercriminals, nation-states, and a host of other bad actors are developing new tactics, tools, and procedures to circumvent modern cybersecurity solutions. We are increasingly seeing targeted attacks employing customized malware and the ready availability of dark web market tools and services covering every aspect of the cyber kill chain. In fact, a recent Fortinet Global Threat Landscape Report shows that virtually no firm is immune, with 96% of firms experiencing at least one severe exploit.

In order to address these new threats while maintaining operations, growing the business, executing the mission, and implementing digital transformation, organizations are finding that success requires a balanced focus on both business and security requirements. This development is reflected in the changing roles and responsibilities of the Chief Information Security Officer (CISO). Public sector agencies and private enterprises are now seeking CISOs with the deep technical expertise, organizational leadership, and business acumen needed to achieve business objectives.

A New Survey of CISO Employers and Applicants

This trend is analyzed in a study released by Fortinet on the changing role of the CISO. This is the first of a series of analytical reports on security occupations that examined over a thousand cybersecurity job ads and resumes from organizations across the globe using natural language processing (NLP). With analytics conducted by the data sciences firm Datalere, this initial report explores how organizations are re-defining the roles and responsibilities of their CISOs by expanding job criteria to include organizational leadership, business management, and other traditional “soft” skills.

What we learned is that the role of the CISO is undergoing a dramatic departure from the traditional, singular focus of network security. Today, organizations expect their CISOs to function across a variety of business initiatives while overseeing security initiatives, supporting digital transformation, and driving business growth.

According to our research, organizations are looking for CISOs that possess a mix of hard skills—experience and training—with soft skills that break into four quadrants—leadership, communications/interpersonal, analytical, and personal characteristics. When it comes to hard skills, organizations are still looking for CISOs with expertise and training around the traditional security, privacy, and compliance issues. As for soft skills, leadership skills are listed more than twice as often than the other three quadrants combined.

As security becomes more integral to business success, CISOs are being tasked with cross-functional leadership responsibilities to ensure the alignment of business objectives with IT and security strategies, and to manage risk rather than simply deploying tactical security technologies. This new breed of CISOs have responsibilities that extend beyond traditional technical domains to serve as technologist pathfinders for digital transformation.

The Gaps between Cybersecurity Employers and CISO Job Seekers

As we reviewed the desired hard and soft skills organizations identify as necessary in prospective CISOs, we noticed an interesting shift that illustrates how today’s CISO responsibilities are changing. Employers are now emphasizing soft skills over 30 percent more often than CISO applicants who include those skills in their resumes and applications. This development suggests applicants have been slow to recognize the shift in C-level security hiring priorities.

Why the Role of Chief Information Security Officer is Changing

Businesses and organizations are struggling with the demands of today’s digital marketplace and its connected citizens and consumers. Digital transformation is changing the composition of C-suites. For CISOs, this means valuing the achievement of business and revenue objectives as equally as risk management and compliance objectives.

Our research suggests that as businesses look to hire the next generation of CISOs, the role is becoming more expansive to include strategy, management, and leadership responsibilities. Given the rapid pace of innovation and change driven by digital transformation, CISOs need to have deep technical expertise combined with transformational management skills. Both consumers and regulators increasingly view security as an integral part of the customer experience—demanding robust security and privacy throughout the business. Going forward, CISO must be enablers of innovation and growth, as well as security, compliance, and privacy.

These emerging trends have not gone unnoticed by threat actors who are looking for seams in new enterprise work streams to exploit. An expanded combination of exploits of known vulnerabilities and customized zero day attacks are now facing these new CISOs. Today’s CISOs must be able to effectively secure expanding networks against this growing menace while also meeting the evolving business objectives that define their new role.

Addressing Network Security for the Modern CISO

Digital transformation and the accelerated pace of innovation, complexity and threats means that security must operate at the new speed of business or become irrelevant. They must be masters of technology, risk management, and business enablement. To achieve this, CISOs need a broad, integrated security architecture that enables the automation of deep visibility and control at speed and scale. This fabric-based approach enables digital transformation through deep technology integration enhanced with the latest threat analysis, detection, and prevention techniques, event and threat correlation, and coordinated response—letting CISOs focus on business enablement without getting bogged down with the constant reactive cybersecurity management challenges of the past.

As part of Fortinet’s ongoing commitment to help CISOs focus on business-related issues without compromising the integrity of their security posture, we released significant updates to the Fortinet operating system, FortiOS 6.0 earlier this year. This expansion of our Security Fabric enables includes over 200 critical enhancements, including enabling transparent visibility and control across the attack surface, event analytics, and support for regulatory compliance and risk management, while automating the delivering of visibility across the extended network.

Access or download the full report: “The CISO Ascends from Technologist to Strategic Business Enabler.”