Thacker says that a disconnect with the board remains a serious problem for most CISOs.
“A closer collaboration with the board is an urgent change needed. A discussion on business risk, less so business threat needs to take place with the board at regular intervals.
“The role [of the CISO] also has to change to include shared ownership of incidents and risk. Many organizations have data and risk owners assigned pervasively across the organization yet very few empower these owners and delegate adequate responsibility.”
Thacker added that security managers will in future have to consult more with data protection and legal teams, due to new global data protection laws, and changing budgets from network to data security spend.
“The current challenge today is the complexity of the role and the ability to manage events and incidents in a timely manner whilst achieving the requirement to meet compliance and legislation requirements. The complexity has only accelerated with third-party risk now a common custodian role today’s CISO has to take on. It’s a day job like no other.”
Andrew Rose, CISO at air traffic management company NATS, believes that future CISOs will have to become more focused on business strategy.
“The CISO role is becoming more business focused. My role is about influencing, stakeholder management, positioning and communication. My role is not terribly about making decisions, doing risk assessments or understanding the latest technology solution out there on the market.
“It’s all about getting the board’s head in the right place so that they’re OK with spending money and putting resource into this, and that they realize the benefit in it. I don’t think I am alone in a CISO operating at that level, and I think more CISOs will have to do that in future.”
‘Visionary’ CISOs on the rise
Pearson’s Pinkard agrees, adding that businesses should be seeking a security ‘visionary’.
“In the coming years, organizations will have to find the right combination of experience, leadership, financial knowledge, business insight and security know-how. They’ll have to couple this with a forward-facing visionary – someone who can marry the necessary ‘old school’ approach with the evolutionary thinking that is required to excel digitally.”
Phil Cracknell, information security consultant, believes meanwhile that the CISO role could evolve to tie-in with that of the Chief Risk Officer (CRO).
“The CISO will become a subordinate role to the CRO, focusing back on technology whereas the CRO will have wider business risks to consider.” Cracknell adds that the role could even become “part-man part-machine”, due to the emergence of real-time alerts through Artificial Intelligence.
Thacker suggests that the emergence of business-aligned security chiefs could result in the creation of the Cyber Security Strategy Officer (CSSO) role.
Sign up for CIO Asia eNewsletters.