Should the Role of CISO Be Divided into Two Separate Functions?

Published:

The Evolving Role of the CISO: A Call for Duality in Cybersecurity Leadership

In an era where cyber threats are becoming increasingly sophisticated and regulatory demands are mounting, the role of the Chief Information Security Officer (CISO) is undergoing a significant transformation. A recent study by Trellix reveals that 84% of CISOs believe the role should be divided into two distinct functions: one technical and one business-focused. This shift aims to enhance security measures and bolster organizational resilience, reflecting the growing complexity of cybersecurity in today’s digital landscape.

The Challenge of Regulatory Demands

The Trellix research, which surveyed over 500 CISOs worldwide, highlights the pressing challenges that these leaders face in navigating the intricate web of cybersecurity regulations. As Harold Rivas, CISO of Trellix, aptly puts it, “We’ve entered the CISO duality era.” This new paradigm requires CISOs to adopt both a technical and business-oriented perspective, emphasizing the need for strategic communication.

CISOs are no longer solely responsible for maintaining cyber hygiene; their roles have expanded to encompass risk management, compliance with evolving regulations, and alignment with organizational leadership. They are now the critical link between key stakeholders, business objectives, and cyber resilience. This duality is essential for effectively defending against advanced threats while ensuring that cybersecurity strategies align with broader business goals.

Prioritizing Cybersecurity in a Complex Landscape

As the cybersecurity landscape continues to evolve, CISOs are prioritizing several key areas. Proactively maintaining a robust cybersecurity posture, focusing on ransomware prevention and mitigation, defending against state-sponsored attacks, and responding to global IT incidents are all top priorities for CISOs this year. However, these responsibilities come with the added challenge of navigating complex regulatory requirements and heightened stakeholder expectations, all while operating with limited resources.

The impact of these growing responsibilities is palpable. While 93% of CISOs acknowledge that cybersecurity regulation has positively influenced their careers, granting them greater influence in strategic decisions and board-level discussions, 79% express concern that the time and effort required to keep pace with regulatory changes is unsustainable. This dichotomy underscores the need for a reevaluation of the CISO role to ensure that it can effectively meet the demands of the modern cybersecurity landscape.

The Importance of Enhanced Reporting Skills

One of the critical skills that CISOs must develop is the ability to report effectively to the board. The study reveals that 49% of CISOs report to the board on a weekly basis or more frequently, adding to their already overburdened workload. Unfortunately, many CISOs struggle with aligning their perspectives with those of the board and other C-level executives. 66% of CISOs believe that the board lacks the technical knowledge necessary to fully comprehend cybersecurity issues, while 59% report misalignment with their CIO or CEO.

This disconnect can lead to significant challenges in communicating the importance of cybersecurity initiatives and securing the necessary resources for effective risk management. As a result, 91% of CISOs agree that the expanding responsibilities associated with their role will likely lead to higher turnover, and 49% do not envision a long-term future as a CISO.

The Case for Role Specialization

To address these challenges, 84% of CISOs advocate for a division of the role into technical (CISO) and business-focused (BISO) positions. This separation would allow each function to concentrate on its specific responsibilities, ultimately enhancing the organization’s overall cybersecurity posture. By having dedicated leaders for both technical and business aspects, organizations can ensure that cybersecurity strategies are not only effective but also aligned with business objectives.

Moreover, CISOs emphasize the need for additional support from regulators, organizations, and peers. 87% of CISOs believe that discussing cybersecurity regulations with peers is more valuable than conducting independent research. This highlights the importance of collaboration and knowledge-sharing within the cybersecurity community.

Building a Collaborative Community

As Jim Jenkins, VP and Information Security Officer at Vantage West Credit Union and a member of the Trellix CISO Council, notes, “An element to success for CISOs is a strong collaborative community.” The demands of the CISO role can be overwhelming, especially when resources and support are limited. By learning from peers and sharing information, CISOs can become more efficient and refocus their efforts on strategic initiatives.

To ensure the future success of the CISO role, it is crucial to establish clarity around responsibilities and expectations. This includes providing clear guidance and support from leadership and regulators, as well as fostering a collaborative peer community. By doing so, organizations can empower their CISOs to navigate the complexities of cybersecurity effectively and drive meaningful change within their organizations.

Conclusion

The evolving landscape of cybersecurity necessitates a reevaluation of the CISO role. As the demands of regulatory compliance and advanced threat management continue to grow, the call for a duality in the CISO function becomes increasingly clear. By embracing this shift and fostering a collaborative community, organizations can enhance their cybersecurity posture and ensure that their leaders are equipped to meet the challenges of the future. The time for change is now, and the future of cybersecurity leadership depends on it.

Related articles

Recent articles