The Changing Nature of The CISO in 2023

By Alain Sanchez EMEA Field CISO and Daniel Kwong SEAHK Field CIS at Fortinet

As we head into 2023, the role of the Chief Information Security Officer (CISO) is shifting more than ever. As cybersecurity remains a board-level discussion and cybersecurity risk continues to increase, CISOs have substantial access within an organization but also face significant pressure.

The biggest shifts for CISOs in terms of their role in a business in the last 3 years

In recent years, the role of the CISO has shifted dramatically. With the rise of cyber attacks, CISOs are now expected not only to protect data, but also to be proactive in identifying and preventing potential threats.

In addition, CISOs are now often tasked with developing and implementing security strategies for the entire organization, not just the IT department. With the ever-changing cybersecurity landscape, CISOs must continuously adapt their strategies to stay ahead of the curve.

A decade ago, those who are now referred to as “CISOs” were not considered nearly as important as they are today. Quite often, at the time, they got answers such as, “Can’t you see I’m working?” or, “Oh no, not you again!” Today, the same people get a dedicated seat in that same boardroom. And, many CEOs ask them important questions, valuing their response. These questions actually call for answers, and perhaps the most amazing change is in the tone that is now used. Can you provide insight into whether or not we can buy this company?” or “If you wouldn’t mind, can you prepare metrics regarding our cyber posture to present to our stakeholders next week”?

The newly regarded CISO gets a budget, a team, and the right to recruit directly. Sometimes even the voice of the CISO prevails over other long-standing professionals established on the upper floor. In fact, over the last few years, the teleworking policy, the collaborative database, legal reporting, and even the development roadmaps of innovative core applications have been placed under their direct leadership.

The shift in the role of the CISO from an operations focus

In recent years, there has been a shift in the role of the CISO from an operations focus to a strategic one. This is due to the increase in demands placed on CISOs to protect organizations from cyber threats. In order to be successful, CISOs must now have a deep understanding of the business, its risks, and its goals. They must also be able to build and maintain relationships with key stakeholders.

One example is that the board wants more than just a service-level agreement on security incident response. Instead, they are looking for a protection-level agreement to ensure digital assets are continuously patched and protected to react to cyber incidents that may cause business disruption proactively.

Gradually, the CISO has become more involved in the decision-making processes. Almost systematically now, when innovation is involved, the CISO’s voice makes a difference. And that difference is not about saying no all the time. Rather than speaking from the voice of “Mister No” the CISO has turned into a source of inspiration for innovation, rallying data analysts and software developers under the same banner of secure operations development. To do so, the CISO and their team have initiated a healthy dialog between production, marketing, finance, and even HR and Legal. As a consequence, this has shifted the focus from bits and bytes language towards more business-oriented notions such as risk, market footprint, and compliance.

The CISO’s role is no longer just about protecting the organization from cyber threats. They are now a key business enabler, tasked with delivering business value.