The role of Chief Information Security Officer (CISO) was originally created to manage technology risk within the enterprise. However, the CISO role is being reshaped by the greater role that security is now playing in business, and the need to protect a rapidly expanding portfolio of digital assets without inhibiting the organization from meeting its goals.
This is visible from several perspectives. CISOs and their teams must be able to communicate the organization's information risk exposure and the measures needed to protect the business, and do so in language that board members, business leaders, and other non-technical people can understand. Simultaneously, understanding business objectives is essential to ensure that the organization's overall security posture aligns with business risk.
To achieve this, the most successful CISOs tend to develop broad, leadership-level responsibilities that encompass or integrate with many domains and individuals across the organization. The alignment of the information security program with business issues (e.g., regulatory compliance status) can also be shown as direct links from the CISO's domain to overall organizational well-being. And with the CEO and board increasingly wanting detailed insight on the organization's risk posture, occupants of the CISO role have a strong case for a more direct reporting route to the top of the organization.
Key performance indicators (KPIs) and key risk indicators (KRIs) are two standard ways of reporting risk posture to business leaders. Performance details what has happened, and of course risk explains what might happen. The metrics included in these groups will develop over time; overall, they fall into the buckets of operational (e.g., mean time to detect/respond – MTTD/MTTR, phishing campaign failure rate, and patch coverage) and strategic (e.g., vulnerabilities by criticality based on system/data affected, risk assessments maintained, and compliance). The CISO's objective should be to demonstrate a positive trajectory that manages security posture in line with risk appetite, whilst simultaneously enabling the organization to execute on its business strategy.
At Omdia, we see evidence of increased use of security risk ratings. Similar to a credit reference score, basic and more advanced scores are made available for organizations to see how secure their external environments are at a particular moment in time. Although the measurements vary between providers and therefore the same provider must be used every time to set the benchmark, such easily understood quantitative measurements ensure CISOs and business stakeholders share a common understanding.
Working with the board and leaders across the business is not static. Engagement and reporting should be dynamic, documenting ongoing change across the enterprise. As organizational leaders are increasingly involved in engagement and reporting for business and security risk, the lingua franca of business and security will become increasingly aligned – a significant step forward for the organization and for the practice of enterprise cybersecurity.