The chief information security officer (CISO) is the executive responsible for an organization's information and data security. The CISO position first came into being with the appointment of Steve Katz to the role at Citigroup.
The role continues to evolve as enterprises expand their borders to include e-business partnerships, mirroring institutional changes. According to IDG's 2020 Security Priorities Study, 61% of surveyed companies have a CISO, though that rate goes up to 80% for large enterprises.
Jeffrey Kok, VP solution engineers APJ for CyberArk, admitted that prior to 2005, the CISO title was a rarity in the Asia-Pacific region. “But from about 2005 to 2008, we start seeing the first few CISOs in the market, and it's been gradually ramping up,” he added.
He noted that in the present, all the top banks, multinationals and enterprises would already have a CISO. He called out the CISO as a subject matter expert who can take the focus out of the CIOs hands to really focus on IT security for the organisation.
“This is especially so in the past couple of years given that there is a huge increase in cybercrime such as ransomware. The need for CISO is rising. We are seeing, even smaller organisations looking to appoint CISO or hire CISO to put their cybersecurity plans in place,” he continued.
In addition to Ransomware-as-a-Service (RaaS) he noted the acceleration of other forms of disruptive attacks as well as nation-based attacks.
“You can see that the threat landscape is accelerating. Most organisations need someone that can really take focus and know about IT security so that he or she can lead the organisation, put together a program and navigate it. Through this cybersecurity plan, the organisation can reduce the risk of data breaches and business disruption from increased cyber threats,” he continued.
Kok acknowledged another challenge for CISOs that of evolving regulatory compliance-driven in part by the rise of cyberattacks.
“Organisations are quickly moving to the cloud. With COVID and a remote workforce, a lot of the traditional strategy, which used to focus on perimeter security and protecting everybody within the company boundary, now needs to be extended to protect remote workers who are using cloud services,” he explained.
He raised the need to modernise security strategies, including technology, people and processes. To which he acknowledged that a prevailing talent shortage.
“The CISO cannot do all of these security programs on their own. They need to hire people. And with COVID, it makes it a lot harder to hire in this modern-day,” said Kok.
Architect of security
Asked who decides on the information security strategy for the organisation, and more importantly, how it is executed, CyberArk’s Kok said it depended on the organisation.
“For organisations that do not have a chief risk officer, which many organisations don't, usually the CIO would take this role and set the direction and a strategy. Typically, the Chief Security Officer will set the direction of the general security.
“The CISO will work between the CIO and the CSO to determine what is the cybersecurity strategy and direction. Now, if there is a CRO, the chief risk officer and a CSO is reporting to the chief risk officer, then typically, the risk management team typically determines the direction, together with the CISO,” he elaborated.
When is separating CISO from IT a good strategy?
Kok said the CISO role is typically found in more mature organisations. He explained that the CISO’s top priority might not be fully aligned to the CIO, because some of the security initiatives or security directions might put a damper on the CIO’s overall direction and strategy.
“In those cases, we see that it might be more effective to put the CISO into a separate reporting line in the organisation, where they will be able to work as a parallel stream, together with the CIO to drive better efficiency and results for the organisation,” he explained.
CISO priorities in 2021-2022
While Kok is optimistic that the threat of the pandemic will evolve to an endemic, he believed that the risks of a hybrid workforce will continue.
“We see a lot of CISOs continue to accelerate their digital transformation which will not end by the second half of this year. The digital transformation cycle will continue to next year as well, with the same level of acceleration, to handle all the new problems that they probably haven't figured out.
“For organisations that are in the early days of digital transformation, they will need to quickly learn and solve the workforce challenge. A lot of the same things that we'll see in the second half of 2021, will continue to play out into 2022, as well,” concluded Kok.
Click on the podchat player and listen to Kok share his views on the challenges ahead of CISOs in Asia in 2021 and beyond.
- Is the CISO a common occurrence? Or are there more of them coming in late, especially lately?
- What is driving the need for a CISO, especially in these couple of years?
- Beyond the threat landscape that you've just highlighted. What are the operational challenges facing a CISO and the enterprise he or she represents?
- What would be the composition of the team that reports to the CISO, and is there a dotted line to the CIO or perhaps somebody else in the C suite?
- Given the role of the CISO, CSO, CRO and the CIO. Who decides on the information security strategy for the organisation, and more importantly, how it is executed?
- When is separating CISO from IT a good option for an organisation?
- Coming where we are halfway through 2021, what do you see will be governance and security challenges or any challenges that will be facing the CISO for the remainder of the year?
- What do you see will be CISO priorities for next year? 2022?