How next-generation CISOs can become agents of change

Forward-looking CISOs are pursuing a new role, building stronger cross-functional relationships to support innovation and transformation.

How do chief information security officers (CISOs) win the confidence of their boards, secure the resources they need to protect their enterprises, and move into a more strategic position in the business? New EY research reveals that the next generation of CISOs is determined to play a pivotal role in driving value and enabling change. To get there, these CISOs are pursuing a new type of relationship with their colleagues.

CISOs know all too well that in the face of the mounting cybersecurity threat, their fundamental responsibility is the safety and security of their organizations. And this year’s EY Global Information Security Survey (GISS) of almost 1,300 organizations worldwide, finds that attacks are becoming more frequent: 59% of organizations say they have been targeted more often over the past 12 months than in the previous year.

However, the GISS also reveals that next-generation CISOs believe their role now needs to expand. They expect to be much more business-aligned, focused on building relationships outside of IT, and engaged with the organization’s commercial imperatives – including digital transformation.

The innovative CISO

Next generation CISOs – who are currently in the minority – are already carving out that kind of role for themselves. For example, they are engaging with their boards more regularly, with 29% of organizations surveyed, confirming that cybersecurity is a board agenda item every quarter. And they are reaching out across the business to forge new alliances with functions with which the CISO traditionally has little contact. Many security teams have built trusting relationships with functions such as IT and risk, who are their closest colleagues in the organization, but the GISS shows that some are going further: 26% of respondents describe their relationship with marketing as being of mutual or high trust, involving good levels of consultation, and 36% say the same of the research and development team.

This breaking down of traditional barriers is crucial for the CISO to contribute in a more business-driven, value-added way. The evidence from this year’s GISS is that at many organizations, CISOs and their teams are still regarded as reactive and compliance-driven, rather than partners in the business’s growth objectives. More CISOs must now consider how they can raise their profiles and be seen as innovators: just 7% of survey respondents say that their executive management teams would describe the role of cybersecurity as “enabling innovation with confidence”.

Their reward? The opportunity to support their organization in pursuing its commercial goals. For example, relatively few security teams are currently involved from the start, in the launch of new products and services. A mere 36% of respondents say that the cybersecurity team is brought into such initiatives at the planning stage. Large numbers are not consulted until after the products and services have been designed; in some cases, they are not consulted at all.

From a security point of view, this misses a trick. It prevents organizations from working with a Security by Design mindset and forces them to retrofit their protections. More broadly, it means that CISOs are not fulfilling their potential – they could become vital agents of change, enabling their organizations to pursue essential digital transformation with confidence.

Involving CISOs too late also affects their ability to secure the resources they need to properly safeguard their organizations. Many security teams identified procuring or justifying budget as a top operational challenge this year; this may reflect mutual frustration at the board level with repeated demands for cybersecurity spending and security teams proving to the board that they are performing in line with expectations.

Reframing the conversation

Next-generation CISOs are responding by reframing their case for funding. While most CISOs continue to justify increased spending in terms of risk reduction or compliance needs, 9% now cite the enablement of new business initiatives. This shift toward new business is set to increase in the years ahead: already, 40% of GISS respondents are focusing on increasing cybersecurity spending in those areas of the business where there are opportunities to grow and transform.

Communicating in these terms will be increasingly important for next-generation CISOs, who are seeking a different level of business engagement. Board reporting, for example, represents an important opportunity to change the narrative. In the latest GISS, 25% of CISOs are confident that they can quantify, in financial terms, the effectiveness of their spending in addressing risk; the rest worry that they cannot articulate their achievements to the board.

Similarly, only a small minority of CISOs are demonstrating the security team’s performance to their boards using metrics aligned to business objectives that executives already understand. Most are still providing status reports or postmortems following incidents or breaches – a tactic that will only prolong and exacerbate the disconnect between the board and the security function.

The challenge now is for CISOs to assess their position in their organizations and work out how it needs to adapt. The day job – keeping the enterprise safe – continues, but the CISO of tomorrow will also be a strategic thinker and agent of change. Stronger relationships with other functions throughout the business will help security to get involved much earlier in new initiatives and in the transformation process. Closer engagement with the board, built on the two parties speaking the same language, will enhance CISOs’ status and position them as enablers of innovation.

This is a shift that will make the day job simpler. CISOs involved in new initiatives from day one have an opportunity to embed a culture of Security by Design – rather than having to scramble to add protections retrospectively. And those with stronger board relationships will find it easier to make the case for the resources they need. Repositioning the CISO as an agent for change is a win-win situation.