Ever since the role of the chief information security officer (CISO) was first created in 1994, the position has been treated like the pesky youngest sibling in the C-suite family. In the office, the CISO wasn’t given the same voice as the chief information officer (CIO) or other executives. During meetings of the board of directors, the CISO often wasn’t given a place at the table, and digital defense wasn’t treated as highly important for the business.
Now that CISOs have greater access, directors and other C-suite members are more willing to see that their domain isn’t a separate entity but needs to be part of overall business plans. So, how has this change come about? How did the CISO come to gain a seat at the table with the rest of the C-suite? And, what do they need to do in order to succeed there?
CISO Brought to the Fore
Nowadays, entities across industry verticals have suffered major data breaches or been the victim of high-profile ransomware attacks. Because of this, cyber defense has taken on a new urgency. At the same time, there has been a slow shift of the duties of the CISO. Twenty years ago, the typical CISO was someone who had good tech skills first (often coming from an IT role) and could understand basic defensive tools.
“Now, a good CISO will have regular access to the board and be known around their organization for their advocacy of infosec, good leadership and their knowledge of how tech can be used to help the business,” Mark Ward, senior research analyst at the Information Security Forum, says in an email interview.