The Evolving Role of the CISO: Bridging Security, Business, and Innovation - Part I: Traditional Role of a CISO

Justin Brown

2 min read
The Evolving Role of the CISO: Bridging Security, Business, and Innovation - Part I: Traditional Role of a CISO
Photo by Kevin Ku / Unsplash

I have spent a lot of time commuting and listening to books and podcasts. One of the ones that has stuck out to me is CISO Evolution. Rock and Matthew do a fantastic job under the premise that the CISO is no longer a technical 1s and 0s person, but a business leader who counsels with other strategic leaders of the company.

My AI companion suggested: "In today's digital age, a CISO is no longer just the gatekeeper of firewalls but a key strategist driving business success." It isn't wrong. I have spent 15 years working in various capacities and leadership positions in this field. As such, I have seen a significant change in how the CISO position has migrated to its current form and look forward to how it matures over the next few years. The traditional CISO role defends the perimeter, takes a reactive approach, is isolated from business goals, is typically compliance-oriented, focuses on technology, has minimal executive and board access, and has smaller teams with more generalized skillsets instead of specialized skillsets.

Defending the perimeter is a common starting point for a company, and many early CISOs were technical leaders who configured defenses, WAFs, firewalls, and EDRs and responded to incidents. A lot of the work is task-driven: configure this alert, tune this device, hook up this technology.

Early CISOs are typically reactive to attacks and incidents, focusing more on remediation than prevention efforts and finding out about incidents after they occur to close the gaps and minimize exposure.

Many are isolated from business goals and objectives, typically seen as a bolt-on or a requirement. Very little work has been done on how engagement with security helps us achieve business goals. Many CISOs feel chided after not having their ideas valued and have to react to being informed.

Early on, many of the CISOs were compliance-oriented, i.e., we must do this work to comply with our SOC2, HIPAA/HITRUST, etc. As such, our teams worked to meet regulatory requirements and ensured that the company passed audits and not much more. There was no view of how security could be utilized as a differentiator in the market and used for business growth.

Several CISOs focused on technology instead of business strategy. Knowing how the tool works is essential, but I don't necessarily need to see how the production happens. A lot of the day-to-day work involved managing tools and teams without a lot of collaboration with partner teams, IT, Engineering, DevOps, Infrastructure, etc.

In the early days, CISOs had minimal stakeholder interactions with senior executives and boards. CISOs were often pushed way down in the organizational chart, and roll-up reporting dropped many of the details the CISO wanted to highlight. In many organizations, security is or was a "black box," i.e., we send our application over the fence and hope it doesn't come back with many issues. The same goes for log events. The department of "no," rather than a department of "yes, and here's how we can help."

The traditional CISO had a smaller team with more generalized roles instead of specialized roles, think Security Engineer. Meanwhile, we have threat hunters and IAM specialists now. Many roles and responsibilities did not extend beyond traditional IT Security functions.

Recently, a shift has brought Both/and Thinking to the CISO role as a proactive, business-aligned, and innovation-driven future. I'm looking forward to it, and I hope to one day be able to put these into practice.

Read more