By Shankar Bhaskaran, Managing Director – India, MetricStream
The role of the CISO has continued to evolve in recent years. More so, it took an evolutionary leap during the pandemic as businesses faced greater cyber risks, new regulations, and accelerated digital transformation. Meanwhile, CISOs saw themselves playing a strategic role rather than just performing operational tasks. Their opinions have become a crucial part of business decisions.
Today, the role of the CISO has evolved into one of the most important in the organization. They have become key enablers of business performance by protecting corporate assets and data privacy. A 2021 survey of global CISOs found that 45% of CISOs now have responsibilities in the three key areas of security, risk and trust.
Here’s a look at how Next-Gen CISOs influence business decisions.
Business strategy: CISOs are now considered to play a strategic role in organizations. Their role has evolved from managing IT security to understanding business strategy, managing end-to-end IT risk management and aligning it with organizational goals to build cyber resilience. Mapping organizational strategy, technology, infrastructure, compliance requirements, and embedding cybersecurity into culture, processes, and technology are all part of the CISO’s responsibilities. The CISO also leads security change by keeping a line of sight on technology trends and disruptions, aligning information security investments and cyber risk mitigation measures with business priorities.
Built-in data protection structures: Today, CISOs use AI-enabled Connected-GRC platforms to create robust insights and integrated data protection programs for their organizations. This includes establishing the cyber risk management framework for ensuring long-lasting protection for all intangible assets and strategic advantages. Today, CISOs are also involved in performing cyber audits and training both cybersecurity and general employees in security protocols and safe practices.
Provide visibility on third-party and fourth-party risks: As companies continue to outsource, more vendors are being added to business processes. These range from cloud service providers and technology partners to contractors and consultants. Of these, only a few vendors may have the necessary systems and capabilities in place to ward off cyber threats sufficiently. With third-party and fourth-party IT vendors now part of the extended ecosystem, CISOs now provide visibility into vendor risk. Identify and categorize vendor relationships, perform due diligence, conduct regular security assessments, monitor vendor compliance with cybersecurity standards, track updates, etc.
Corporate Governance, Risk and Compliance: Today, CISOs can no longer operate in silos. In the era of Connected-GRC, the role of a CISO is now to enable ongoing compliance with regulations and standards across all digital assets and processes. For example, aligning business transformation with net-zero carbon emissions is a complex process. For this to work, companies would need an ESG framework integrated into business strategies and processes. A data-driven approach should be used to set targets for reducing carbon emissions and improving energy efficiency. Today, CISOs assist boards by working on metrics to link business goals to ESG goals. Cyber governance, including overseeing the smooth running of cyber resilience initiatives and regular reporting to company management, also falls under the purview of the CISO.
C-suite Communication and GIS: The CISO holds the sole responsibility of communicating cyber risks in a way that the board and the rest of the C-suite can understand. Developing effective management information systems that demystify the technical details of cybersecurity and express risks in easy-to-understand heatmaps are part of the CISO profile. In addition to this, the Next-Gen CISO should quantify risk in monetary terms to help management prioritize the protection of risky assets.
According to a global survey of information security, 25% of CISOs are confident that they can quantify, in financial terms, the effectiveness of their spending to address risk.
As India moves forward on the path to digital transformation, CISOs need to build seamless cross-functional relationships that support innovation and transformation. Next-generation CISOs are already carving out this role. We see them dialogue more regularly with their board of directors while playing an active role in the decision-making process. It’s encouraging to see next-generation CISOs emerging as strategic thinkers and agents of change.