In the 1990s, when organizations thought it wise to establish the role of Chief Information Security Officer (CISO), it was mainly about IT specialists managing cyber risks. Over time, CISOs tackled broader issues, but their main focus still revolved around preventing cyber breaches and meeting compliance.
However, available data suggest the CISO role is undergoing a dramatic shift due to several factors.
Gartner predicts 45% of CISOs will oversee more than just cybersecurity by 2027. And 86% of CISOs agree their role has evolved in many ways since they started, according to a Splunk report — turning them into strategic business leaders, pushing them to report directly to CEOs instead of CIOs.
Can CISOs adapt to these expanding responsibilities, or are they taking on too much?
To answer this question and more, we caught up with Greg Crowley, CISO at eSentire, to shed more light on the evolving landscape of the CISO’s responsibilities.
About Greg Crowley
Greg Crowley is the Chief Information Security Officer at eSentire. His career stretches back more than 20 years in IT and cybersecurity, and his focus is on how to communicate a strategic vision for security and then execute that vision in practical terms.
His belief is that the ability to communicate around defense is the most important part of his role.
Prior to joining eSentire, Greg led the cybersecurity function as Vice President of Cybersecurity and Network Infrastructure at World Wrestling Entertainment (WWE), handling various leadership roles across engineering, infrastructure and security within that organization during his 17-year tenure with the organization.
Alongside his experience, Greg holds a Bachelor’s degree from Queens College and is a Certified Information Security Manager (CISM) and a Certified Information Systems Security Professional (CISSP).
Key Takeaways
- As CISOs take on vastly expanded responsibilities beyond traditional cybersecurity, prioritizing efforts based on risk management is the way to go.
- Burnout is a pervasive issue as CISOs try to be subject matter experts across numerous security domains like data privacy, legal, compliance, etc. There is a need for more role specialization and support staff in these areas.
- To manage overwhelming workloads, CISOs must openly communicate resource needs to leadership and reset expectations around what is realistically achievable with the current team size.
- Maintaining open communication channels and building trusted relationships across all levels is vital for CISOs to identify risks early on and secure stakeholder buy-in when escalating critical issues.
Vast Security Scope Requires Prioritization
Q: CISOs are now responsible for a vast array of security areas, from cloud to IoT to data privacy. How do you prioritize your focus when everything seems critical?
A: It depends on the company’s maturity. Companies vary in size and security progress. Having a CISO is a good start because it shows there is an executive-level person within the company who is in charge of cybersecurity.
However, those demands are expanding. We often have to get involved with data privacy, legal contract reviews that have security and data terms, HR investigations, and the daily tasks of ‘detect, protect, and respond.’
The CISO wears many hats, and it’s all important. So where do you start to focus?
I think it comes down to risk management and likelihood versus impact. When I come into a company, for example, I’ll look at what are those big potential incidents that could hit the company and cause a huge impact, and then assess how prepared and resilient we are.
Those major risks could be different for each company. So you have to prioritize based on the company’s industry vertical, where they are in their security journey, the potential impact severity, and the likelihood of that impact occurring. That’s where you start.
Looming Burnout Risks
Q: With the increasing demands on CISOs, are we seeing a rise in burnout and exhaustion among security leaders?
A: It’s a lot to handle.
I challenge you to find a CISO who has not been burned out, who is not on the verge of burnout, or who is not currently burning out.
There’s still confusion about the role’s responsibilities and appropriate operating level. This is improving as cyber risk becomes a top concern for most companies.
They recognize the need for a CISO who is not just a technical expert but also someone with an executive-level strategic mindset who can communicate with the board and executives while understanding the technical nuances of security risks.
There needs to be better communication and understanding from boards and CEOs.
CISOs cannot be subject matter experts in all areas. They need specialists for legal matters, privacy, and compliance.
Each of these areas is complex and constantly evolving. Compliance, for example, varies by state (U.S.) and by country with GDPR in Europe being one example. It’s unrealistic for a CISO to keep up with every regulation within their area of responsibility.
So, yes, burnout is common. It impacts both the CISO and the company. If you try to cover everything, you won’t do any task well, and an incident will likely happen. That defeats the purpose of having a CISO and security within the organization.
Balancing Stakeholder Demands
Q: As CISO, how do you balance the competing demands of various stakeholders, from the board to customers, when it comes to security priorities and resource allocation?
A: A lot of it comes down to having a good risk management framework in place. Upfront, you should have conversations about the company’s risk appetite, tolerance, and unacceptable risk levels.
For example, if you’re a software company and engineering wants to push out new features quickly, you can work with them to ensure they do so securely. You can explain the risks and collaborate on solutions that address them, allowing them to achieve their goals within acceptable risk parameters.
It all comes down to understanding the company’s risk tolerance and identifying when initiatives might exceed that tolerance.
Avoiding Gaps in Communication
Q: As you juggle various demands of your job, how do you avoid gaps in communication with stakeholders?
A: Forming good relationships is key to the success of a CISO and the security program within a company. It’s not just at the executive level – the CISO has to form key relationships with stakeholders throughout the organization at all levels, from the top down.
That way you know what’s going on, where the real risks are and where potential issues may be getting buried.
Then at the executive level, you have to build that open rapport and trust. Communication and trust are the keys. You have to prove to them that you’re here as a partner, right?
They have a role and responsibility to stakeholders, the company, the executives, and its people. To operate at that strategic level, you have to establish those key communication channels early on.
For instance, when I come into a new role, I make sure to find out who the key people are across the organization. I set up one-on-ones with everybody. I start by establishing that personal relationship – just ask them about the challenges they’re facing, what roadblocks are getting in their way.
If you can help provide value by removing obstacles for them, you’re going to earn their trust.
Demonstrating Security Value: Metrics for CISOs
Q: How can CISOs measure the value of their security programs, especially considering their expanding roles?
A: Standardizing security reporting is a challenge. Unlike Chief Financial Officers (CFOs) with well-defined metrics, there’s no single set of benchmarks for CISOs. The key is to focus on cyber resilience. This isn’t just about how secure you are, but how well you can anticipate, withstand, and recover from attacks.
Because there are always going to be attacks, vulnerabilities, and incidents – the key question is how resilient we are to prevent those from becoming business-impacting events.
NIST [National Institute of Standards and Technology] has actually defined resilience as the ability to anticipate, withstand, recover from, and adapt to threats. So we can measure resilience across those dimensions.
Anticipation – How well is our security training going? How effective is our vulnerability management program? We track metrics in those areas that roll into an “anticipate” status.
Withstanding – If an attack occurs, how well can we withstand it? We measure mean-time-to-detect, respond, recover, and contain. That shows our ability to withstand and prevent threats from spreading once inside the environment.
Recovery – Do we have a solid incident response plan? Have we tested it through tabletop exercises? Can we recover data within our Recovery Time Objective (RTO) and Recovery Point Objective(RPO) targets? Those recovery metrics factor into our overall resilience.
Streamlining CISO Metrics
Q: Given the vast amount of data CISOs manage, how can they streamline reporting?
A: There are two types of metrics: operational and executive-level.
While CISOs use operational metrics, for example, control framework compliance, to assess program health, these often get lost on executives who lack the technical background.
The key is to translate operational metrics into a story about cyber resilience. Educate leadership on the NIST Cybersecurity Framework (CSF) as a foundation, but focus on the outcome: resilience.
Internally, CISOs can use detailed frameworks for operational measurement. However, for upward reporting, simplify the message.
Supporting CISOs Amid Expanding Roles
Q: What advice would you give to organizations looking to support their CISOs and security teams in this ever-expanding landscape of responsibilities?
A: Security needs to become a core value, woven into the fabric of the organization. This means giving the CISO a seat at the executive table, along with the resources they need to succeed.
Security often gets relegated to a small team within IT, even though CISOs bear many responsibilities. Without proper support, funding, and personnel, it’s impossible for them to function effectively as executives.
The key is empowering the CISO. They need to be included in business planning discussions from the very beginning.
When strategic initiatives are being formulated, like expanding into new markets, developing AI, or launching new products, security considerations must be part of the conversation. This proactive approach ensures the business can achieve its goals without security roadblocks emerging later.
Imagine a scenario where the company has already invested heavily in an initiative, only to have to abandon it due to unforeseen security risks. This reactive approach is expensive and disruptive.
An empowered CISO, however, can identify these risks proactively, ensuring everyone is aligned from the start and that security strengthens, rather than hinders, the organization’s future.