{"id":1492,"date":"2025-01-13T09:01:00","date_gmt":"2025-01-13T09:01:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1492"},"modified":"2025-01-13T09:01:00","modified_gmt":"2025-01-13T09:01:00","slug":"cisos-embrace-rise-in-prominence-with-broader-business-authority","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1492","title":{"rendered":"CISOs embrace rise in prominence \u2014 with broader business authority"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

It\u2019s a familiar refrain: As cybersecurity has become a core business priority, it is no longer a siloed operation, and the responsibilities of CISOs have grown, giving them greater prominence within the organization.<\/p>\n

According to CSO\u2019s 2024 Security Priorities Study<\/a>, 72% of security decision-makers say their role has grown to include additional responsibilities over the past year. The top five responsibilities security leaders have taken on are: cybersecurity strategy and policy development; risk management; securing AI-enabled technology; innovation and emerging technologies; and security architecture and technology updates, according to the report.<\/p>\n

Further, the report notes that 92% of security leader respondents have greater engagement with board of directors, up from 85% in 2023. Similarly, a recent Deloitte report<\/a> finds cyber leaders have increased leadership visibility \u2014 41% of respondents said their board addresses cyber-related issues at least once a month, while 30% are meeting weekly.<\/p>\n

\u201cThe influence of the CISO is growing across an increasingly cyber-savvy C-suite:\u00a0Almost one-third of respondents noted CISO involvement in strategic conversations about tech investment,\u201d the Deloitte report said. \u201cHalf of respondents are very confident in the C-suite and board\u2019s ability to adequately navigate cyber issues.\u201d<\/p>\n

The CISO is more central to the business<\/h2>\n

Larry Jarvis, CISO of Iron Mountain, says his role has expanded significantly in recent years, reflecting the growing complexity of today\u2019s security landscape, and now spans several interconnected areas, including risk management, business resiliency, and compliance. Cybersecurity has moved beyond technical IT concerns to become a core business priority, he says.<\/p>\n

\u201cMy responsibilities now encompass not only protecting our digital assets but also aligning security strategies with the broader business objectives,\u2019\u2019 Jarvis says. \u201cThis shift is driven by the increased sophistication of cyber threats, regulatory demands, and the critical need to protect customer trust in a data-driven world.\u201d Additionally, \u201cThe rapid adoption of generative AI also presents new security challenges,\u201d he says.<\/p>\n

\n

Larry Jarvis, CISO, Iron Mountain<\/p>\n

Iron Mountain<\/p>\n<\/div>\n

Daniel Schatz, CISO of Qiagen, a provider of molecular testing solutions based in the Netherlands, echoes that. \u201cMy role and the tasks I\u2019m involved with expanded over time from what you\u2019d usually consider old-school IT security,\u2019\u2019 he says. \u201cRecently, I\u2019ve been working to find the right setup to build the company\u2019s business continuity program, \u2026 set up the organization\u2019s crisis management team, and [also] became responsible for enterprise risk management.\u201d<\/p>\n

While Schatz doesn\u2019t believe the security team previously operated in a silo, he says that may have been the perception. Five years ago, security was part of the IT organization and closely integrated into technical processes and projects. But this caused its own limitations, such as the perception that security is \u201can IT problem.\u201d<\/p>\n

[ Related: Security priorities emphasize CISO role on the rise<\/a> ]<\/strong><\/p>\n

To change that, Schatz says he has worked with company executives to shift the security function out of IT to give it broader exposure to all business areas. While this did not immediately resolve any issues, consequently, \u201cwe were then able to more effectively engage across all business functions while still keeping good relations with our IT colleagues,\u2019\u2019 he says. \u201cAdding the role of a business area information security officer (BISO)<\/a> for our key business areas did help to make this process much easier for both sides.\u201d<\/p>\n

\n

Daniel Schatz, CISO, Qiagen<\/p>\n

Qiagen<\/p>\n<\/div>\n

Tim Dzierzek, CISO of healthcare staffing company Aya Healthcare, agrees that there used to be the sense that \u201csecurity is a technical problem, and I feel like you\u2019re always educating executives that security is an all-encompassing process.\u201d<\/p>\n

Now, he says the CISO role has undergone a shift from security being a room of security professionals \u201clooking at a lot of things,\u201d to more focused on risk management<\/a> and trust management across the organization.<\/p>\n

\u201cI\u2019m definitely seeing more involvement of security in the business that you haven\u2019t seen in the past, whether it\u2019s data governance and now even AI governance, to really harness artificial intelligence for us and our customers,\u2019\u2019 Dzierzek adds.<\/p>\n

[ Related: What\u2019s next for the CISO role?<\/a> ]<\/strong><\/p>\n

With most companies now considered tech companies, digital transformation<\/a> involves the CISO as well as the CIO, he says. While ensuring sensitive data remains compliant, the CISO has become a key advisor<\/a> in how tech is used and enables companies to meet their business goals.<\/p>\n

\u201cSo it\u2019s a change from a backroom security function to guiding companies in a secure way,\u2019\u2019 Dzierzek says.<\/p>\n

Aya Healthcare doesn\u2019t like silos, he adds, and \u201cI find a lot of my role is meeting up with people in the business. \u2026 There is a relationship [component] to the CISO role that wasn\u2019t really in place in past companies.\u201d<\/p>\n

\n

Tim Dzierzek, CISO, Aya Healthcare<\/p>\n

Aya Healthcare<\/p>\n<\/div>\n

Wearing many hats \u2014 starting with risk<\/h2>\n

Schatz\u2019s role was originally focused on information security in the wider corporate technology department \u2014 something he says was common five or 10 years ago, \u201cand it is probably still the typical setup for many organizations that are just getting serious about the topic.\u201d<\/p>\n

But the mix of the rapidly developing cyber threat landscape and increasing external pressure from customers, regulators, and legislative bodies is forcing organizations to take a more holistic view of cyber risks, Schatz says.<\/p>\n

\u201cExecutives recognize that cyber risk is a systemic risk,\u201d and they are starting to see that \u201cthe CISO is well suited to assist with addressing this outside of just the traditional IT,\u2019\u2019 he says. \u201cIn my case, this means that my role expanded in several areas over the past few years.\u201d<\/p>\n

[ Related: The 10 biggest issues cyber teams and leaders face today<\/a> ]<\/p>\n

Schatz\u2019s list of added responsibilities includes overseeing technical data privacy protection. While Qiagen\u2019s legal counsel retains overall responsibility for privacy regulation compliance, he says, \u201cinterpretation and implementation of the technical controls is seen as a CISO responsibility and thus, falls to me.\u201d<\/p>\n

In line with the \u201csystemic risk theme,\u201d Schatz was recently asked to build a formal crisis management capability<\/a> for the organization. \u201cThis was driven by the realization that a cyber related scenario is one of the most likely triggers for a crisis in our organizational context, so the overall responsibility was given to me,\u2019\u2019 Schatz says.<\/p>\n

Around the same time, the need to establish a company-wide business continuity management (BCM)<\/a> program became apparent, he adds. \u201cWith much of the organization depending on digital assets, it was not unexpected that this could also fall in the scope of the CISO.\u201d<\/p>\n

However, Schatz pushed back, saying that instead of simply accepting another responsibility, he has worked with leadership to find the right place for the BCM function that would work best over the long term. \u201cThe CISO is now a key partner in the BCM program instead of adding full responsibility on top of the existing load,\u2019\u2019 he says.<\/p>\n

[ Related: Chief risk storyteller: How CISOs are developing yet another skill<\/a> ]<\/strong><\/p>\n

And, taking over the enterprise risk management (ERM)<\/a> function about 18 months ago \u201chas made it substantially more challenging to balance the responsibilities of the CISO function with the demands of an ERM function.\u201d<\/p>\n

But in this case, Schatz was able to add additional resources to support him with the ERM program.<\/p>\n

\u201cAt the same time, I\u2019ve been relying more on the members of my security team to keep the security program running effectively and efficiently,\u2019\u2019 he says. \u201cI have to strictly prioritize where I put my efforts and focus. Fortunately, there are synergies between the roles, and I have a great team that I know I can rely on.<\/p>\n

Operational technology changes the cybersecurity game<\/h2>\n

Ian Bramson has seen several key shifts during the past seven to eight years he has been focused on the operational technology side of cybersecurity. Bramson, vice president of global industrial cybersecurity at engineering and construction firm Black & Veatch, says there used to be \u201csignificant resistance and even denial regarding OT cybersecurity. Clients were either dismissive about the exposure of their OT networks or claimed that they were not targets for adversaries.\u201d<\/p>\n

But as OT networks became more interconnected and cyber-physical attacks on critical infrastructure operations became more frequent, Bramson says \u201cperceptions began to change.\u201d His role has evolved from trying to convince clients that there was an issue to addressing their \u201cwhat do we do now?\u201d questions<\/a>, he says.<\/p>\n

\u201cSenior executives and boards of director from critical infrastructure companies are getting more concerned and often are turning to their CISOs with mandates to \u2018make us safe\u2019 and \u2018keep operations running,\u2019\u201d Bramson says. \u201cThis creates new challenges for these CISOs as the OT environment works very differently than the IT one does.\u201d<\/p>\n

\n

Ian Bramson, VP of global industrial cybersecurity, Black & Veatch<\/p>\n

Black & Veatch<\/p>\n<\/div>\n

Issues such as safeguarding legacy systems and high-hazard equipment as well as an emphasis on uptime are key to these environments, he says. \u201cCISOs are starting to have accountability over operational networks and cyber consequences that they often do not understand.\u201d<\/p>\n

As safety and uptime become more of a mandate, the pressure on CISOs will continue to grow, Bramson says. \u201cWe are already seeing more discussions about building cyber into new constructions and major modification projects,\u2019\u2019 he says. \u201cCompanies are realizing that cybersecurity is better built in from the start. This is expanding the CISO role even further across their companies and operations.\u201d<\/p>\n

OT has also become a key focus for Iron Mountain\u2019s Jarvis as well, since \u201cintegrating physical and digital security is essential in a hybrid environment. Additionally, business continuity planning plays an important role in protecting operations against disruptions, whether from cyberattacks or other threats,\u2019\u2019 he says.<\/p>\n

More prominence can be a double-edged sword<\/h2>\n

There\u2019s no denying that with greater prominence and attention \u2014 not to mention constant news stories about high-profile cyberattacks \u2014 comes additional stress. Aya Healthcare\u2019s Dzierzek says his background in the US Marine Corps has given him built-in mechanisms to cope.<\/p>\n

This includes going for a run, taking 15-minute breaks and walking away, and in evenings doing something other than security, he says. But in the past, Dzierzek acknowledges he has \u201cgone through bouts of being burnt out. \u2026 It\u2019s a hard hole to break out of if you don\u2019t have capabilities to step back and breath when security incidents happen.\u201d<\/p>\n

[ Related: Dear CEO: It\u2019s time to rethink security leadership and empower your CISO<\/a> ]<\/strong><\/p>\n

The added responsibilities definitely bring more pressure<\/a>, especially when resources are tight, adds Qiagen\u2019s Schatz. \u201cHaving a strong, reliable team makes a huge difference, but at the end of the day, it\u2019s about prioritizing and focusing on what matters most. It\u2019s not easy to accept that some things won\u2019t get done, and that can add to the stress.\u201d<\/p>\n

CISOs, like other business leaders, need to find their own way of getting comfortable with making tough decisions in uncertain situations to balance stress, performance, and mental health, he says.<\/p>\n

All in all, Schatz characterizes the additional responsibilities as a mixed blessing. \u201cIt clearly is a positive development that executive leaders recognize the added benefits a CISO can bring to the organization and entrust them with additional responsibilities,\u2019\u2019 he says. The upside is CISOs benefit from this by increasing their professional skillset, gaining a deeper understanding of their organizations and the risk universe in which they operate, and can become a more well-rounded leader.<\/p>\n

\u201cThe other side to this is the obvious increase in pressure on your time to manage the increased responsibility and being outside your comfort zone quite often,\u2019\u2019 he notes. That said, any senior leader is expected to be able to be effective with limited resources and to optimize them within those constraints, Schatz says.<\/p>\n

\u201cBut it is also important that the organization provides sufficient resources to enable success,\u2019\u2019 he stresses. \u201cAs long as this is balanced, I\u2019m up for the challenge.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

It\u2019s a familiar refrain: As cybersecurity has become a core business priority, it is no longer a siloed operation, and the responsibilities of CISOs have grown, giving them greater prominence within the organization. According to CSO\u2019s 2024 Security Priorities Study, 72% of security decision-makers say their role has grown to include additional responsibilities over the […]<\/p>\n","protected":false},"author":0,"featured_media":1493,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1492","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1492"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1492"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1492\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1493"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1492"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1492"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1492"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}