Many CISOs I talk to still spend a lot of time fighting operational fires. This survey may be more about aspiration than reality…:
Security leaders are evolving from technicians to business executives as tech drives enterprise projects, applications, and goals.
The tasks topping the CISO’s to-do list are slowly shifting, as their core priorities transition from primarily technical expertise to securing business applications and processes.
It’s the key takeaway from a new report, conducted by Enterprise Strategy Group (ESG) and commissioned by Spirent, on how CISO responsibilities are shifting as cybersecurity becomes more complex. Researchers polled 413 IT and security pros with knowledge of, or responsibility for, the planning, implementation, and/or operations of security policies and processes.
“There’s a transition from a technology focus to a business focus,” says Jon Oltsik, ESG senior principal analyst. “And that doesn’t preclude the oversight of technology, but the technology is sort of guided by business initiatives, business applications, business goals, things like that.”
About 80% of experts say security knowledge, skills, operations, and management are more difficult now compared with two years ago. They attribute the complexity to growth in the number and sophistication of malware, IT projects, targeted attacks, and connected devices.
Nearly all (96% of) respondents say the CISO’s role has expanded, and the primary driver of their prominence is increasing difficulty of protecting enterprise data. Nearly 80% point to malware as the primary reason, and many claim between 80-90% of malware attacks target a single device, and 50-60% of malicious Web domains are active for one hour or less.
Organizations are increasingly digital and cyberattackers are taking precise aim to poke holes in their defenses. Oltsik calls it “death by a thousand cuts”. CISOs have seen breaches and regulations increase as more people realize the business is driven by tech. “Regardless of what business you’re in or process you’re talking about, there’s an IT underpinning,” he notes.
CISOs are becoming part of more board-level discussions to prevent breaches.
“There’s a real shift from reactivity to proactivity,” says Oltsik. In the past, companies built their defenses and hoped nothing bad would happen. When something eventually did happen, their responses were poorly organized, inefficient, and took a long time to put into practice. What’s more, responses were tech-oriented – not business oriented. The answer to compromise was “let’s fix the system” and not, “how do we fix the business,” he explains. Now, this has changed.