The CISO: New Rules, New Role?

With a never-ending evolution cycle, new pin-off roles and responsibilities, it is time once again to ask who the new CISO is.

With Juliette Foster moderating this roundtable debate, the speakers include:

  • Brendan Murphy, Cybersecurity Manager, L’Oréal, Canada
  • Christian Coutinho, Global CISO, LATAM
  • David King, CISO, Legal and General 
  • Devin Ertel, CISO, Menlo Security
  • Diego Souza, Global CISO, Cummins
  • Les Mccollum, CISO, UChicago Medicine
  • Pedro Adamovic, CISO, Galicia Bank 
  • Rahul Bhardwaj, CISO APAC, Kroll
  • Upendra Mardikar, CSO, Snap Finance

 

Background on the new rules

There have been changes to the Act on Promotion of Information and Communications Network Utilisation and Information Protection, and the Act on the Promotion of Information Security industry which went into effect in late 2021. These changes involve the role of the CISO prominently and include amendments to public disclosure requirements regarding information security matters.

Changes to the CISO help small and medium-sized companies that struggle to appoint a CISO. They can now appoint employees that have the necessary qualifications under the Network Act’s Enforcement Decree. It effectively means they can now name a non-executive level employee as the CISO and not lose that executive from their current position. Nevertheless, under the current network act, a company may be fined steeply for failing to designate a CISO. They will also be fined if they fail to follow the requirement for their CISO not to assume another position; or if their choice of CISO does not meet the required qualifications to rise to this position.

 

How has the role of the CISO developed over the past year, and what does the position now require?

Over the past several years, the CISO has become an imperative figure within businesses and has followed the growth of the CIO position seven to eight years ago. In 2019, statisticians found that 40 percent of CISOs report directly to the CEO and 27 percent report to the board of directors.

CISOs now require a balanced knowledge of business acumen and technology security. Rahul Bhardwaj of Kroll believes that new rules have led to CISOs thinking more like business leaders. Christian Coutinho added that the position has changed from a statistical or managerial role to a more strategic position, imperative to the growth of a company or organisation. Highly effective CISOs have become very high in demand.

 

What is the importance of information translation to the changing role of the CISO?

Diego Souza of Cummins, a global power leader, said that CISOs need to explain all business risks to the board and make it easy for them to understand. Brendan Murphy adds to this point with his assertion that CISOs can use easy-to-understand imagery, such as a colouring system, to highlight the potential risks of a topic of conversation. These colours would be red, yellow and green. Diego says that not all risks have to be within a company and that you can learn from current events. 

That means CISOs should learn and research more about the Information security landscape and act accordingly - if something happens elsewhere that could happen to them. Relationships with company leadership and the board?

Everyone at the round table had a similar viewpoint - that relationships are imperative to the success of a CISO. 

Devin Ertel of Menlo Security said you should have “someone in your corner.” It is common for CISOs to work directly with the internal leadership or board members because CIOs and CEOs like the idea of having information data sanitised and organised before being brought to board members. Despite the importance of CISOs in this regard, sometimes CISOs can be minimised compared to other roles within a company. 

Brendan Murphy says that the situation changes regarding the company you are at, and in some cases, you will be listening to the authority of the CIO, and they will make the decisions.

However, the round table unanimously agreed that this is changing. The CISO now makes decisions regarding cyber-security. Diego Souza described that they are responsible for protecting the product and the data, an idea that would have been impossible a few years ago.

Security teams and CISOs. As previously mentioned, CISOs have grown in importance in a company’s organisational structure. Les McCollum of UChicago Medicine says that security teams have evolved in structure as businesses go through their digital transformations. For instance, he says, “The healthcare industry is constantly finding new tools to improve healthcare for patients.” McCollum says finding potential risks from these tools that people are unaware of is one of his most important tasks. Every action has a following reaction; that includes the positive implementations a company makes.

In conclusion, CISOs are hugely imperative to company security and will become even more so with the growing digitalisation of businesses.

This roundtable was created in partnership with Menlo Security.


Role of the CISO

The Chief Information Security Officer, CISO, is a rising star in a senior leadership team. Discover why, and who they are.

Mask group-2

SUBMIT A COMMENT

We love getting input from our communities, please feel free to share your thoughts on this article. Simply leave a comment below and one of our moderators will review
Mask group

Join the community

To join the HotTopics Community and gain access to our exclusive content, events and networking opportunities simply fill in the form below.

Mask group