The Death of the CISO: A Eulogy & Reincarnation
I am sure this will be controversial, many love their role and title. First, some perspective . . . my career started in IT security. I cut my GRC teeth in IT security. My first imagination of a GRC platform came from leading an IT security, risk, and compliance consulting practice in the 1990s, which I first encountered as a product in February 2002 after which I defined the GRC market. I started the Milwaukee Chapter of the Information Systems Security Association (ISSA). I was on the International Board of the ISSA, primarily as their VP of Standards and Public Policy. I co-chaired Congressperson Putnam’s Corporate Information Security Working Group. I wrote a paper on CyberRisk for the Joint Economic Committee of Congress. While my career and analyst coverage has gone far beyond IT security, that is where I started.
To put it bluntly, the CISO role is dead. Organizations need something different, a broader view of IT risk management. The recent CrowdStrike event is just one example of many that require organizations to create a much broader view of IT risk and resilience management. Security is still critical and is a component of this, but it is more than security.
Consider the intricate narrative of J.R.R. Tolkien’s epic, “The Lord of the Rings,” we witness a profound transformation: Gandalf the Grey, once a humble guide and protector, transcends his former self to become Gandalf the White, a more powerful beacon of wisdom and power confronting the enemy at the gates of Mordor. This metamorphosis is not merely a change in title or attire; it represents a fundamental shift in purpose, responsibility, and vision. In much the same way, the role of the Chief Information Security Officer (CISO) is undergoing a significant evolution. The era of the traditional CISO is ending, and from its ashes rises a new archetype: the Digital Risk & Resilience Officer (DRRO).
NOTE: Personally, I am not a fan of the word ‘digital.’ When I see it I think of digital alarm clocks in the 1970’s and 80’s growing up. It is a dated term for me. But it sticks and is what is being used. The title Cyber Risk & Resilience Officer is a little too narrow.
But let’s unpack this . . .
The Grey Years: Traditional CISO
The role of the CISO emerged from the burgeoning need to safeguard organizational assets in an increasingly digital world. In the early days, the CISO’s primary mission was clear-cut: protect the confidentiality, integrity, and availability of information systems from exposure to malicious attackers and inadvertent mishaps. This task involved implementing firewalls, antivirus software, intrusion detection systems, and a myriad of other security controls to fend off cyber threats and reduce vulnerabilities.
However, as technology evolved, so did the complexity of risks. The scope of the CISO’s responsibilities expanded, encompassing compliance with regulatory requirements, managing vendor risks, and ensuring data privacy. Yet, despite these growing duties, the perception of the CISO remained largely confined to IT security. The metaphorical Gandalf the Grey was adept and diligent but limited by the conventional boundaries of information security in a business environment that has become more and more dependent on information and technology pervasively throughout the organization.
The Shifting Landscape
The digital landscape is now more interconnected and complex than ever before. IT risk is no longer isolated to data breaches or hacking incidents. It encompasses a broader spectrum, including IT resilience, business continuity, and the ability to withstand and recover from disruptions.
The recent CrowdStrike incident is a poignant reminder of this reality. Despite being a leading cybersecurity firm, CrowdStrike faced a significant operational disruption that was not a security breach but a colossal IT and business risk. This incident underscores the need for a more comprehensive approach to IT risk management. Organizations globally were impacted. Some organizations did not use CrowdStrike themselves but were still impacted as their vendors and suppliers used it.
On top of that, you have regulations like the United Kingdom Operational Resilience, EU Digital Operational Resilience Act, EU CyberResilience Act, and Australia CPS 230 taking a more expansive view.
The Death and Rebirth: From CISO to DRRO
Just as Gandalf the Grey’s transformation into Gandalf the White signified a rebirth with greater responsibilities and a more profound vision, the transition from CISO to Digital Risk & Resilience Officer (DRRO) marks a pivotal evolution in IT risk management.
The DRRO is not just a guardian of security but a strategist for operational resilience. This role encompasses a holistic view of digital risk, integrating cybersecurity, IT resilience, business continuity, and risk management into a cohesive framework that aligns with the business. It addresses security but also looks at staffing and talent, bugs and resilience, and so much more. The DRRO ensures that organizations are not only protected from cyber threats but also capable of enduring and thriving amidst disruptions in a business environment that is akin to navigating chaos.
The Pillars of Digital Risk & Resilience
- Holistic Risk Management. The DRRO must adopt a comprehensive risk management strategy that includes cyber threats, IT failures, supply chain disruptions, and other operational risks. This involves regular risk assessments, scenario planning, and the implementation of robust risk mitigation strategies.
- Operational Resilience. Beyond preventing security incidents, the DRRO focuses on ensuring that the organization can quickly recover from disruptions. This requires scenario planning and preparedness, a well-defined recovery plan, regular testing, and continuous improvement of resilience capabilities.
- Integration of IT and Business Strategies. The DRRO bridges the gap between IT and business objectives, ensuring that digital risk management aligns with the overall strategic goals of the organization. This integration enhances decision-making and supports long-term business growth and resilience.
- Proactive Threat Intelligence. Leveraging advanced threat intelligence, the DRRO stays ahead of emerging risks, adapting strategies to address new vulnerabilities and threats proactively. This proactive stance is crucial in an ever-evolving threat landscape.
- Stakeholder Collaboration. Effective digital risk management requires collaboration across all levels of the organization. The DRRO works closely with executive leadership, IT teams, business units, and external partners to foster a culture of resilience and shared responsibility.
The Path Forward
As organizations navigate the complexities of the digital age, the need for a DRRO becomes increasingly evident. The traditional CISO, confined by the narrow scope of IT security, is no longer sufficient. The DRRO, embodying the wisdom and vision of Gandalf the White, represents a new era of comprehensive digital risk and resilience management.
In this transformed role, the DRRO not only protects the organization from cyber threats but also ensures its ability to withstand and recover from any disruption. This holistic approach to IT risk management is essential for achieving true operational resilience in the modern era.
The death of the traditional CISO marks the end of an era but also heralds the beginning of a new one. The emergence of the Digital Risk & Resilience Officer is a natural evolution, reflecting the changing landscape of digital risk and the need for a more comprehensive approach to IT resilience. Just as Gandalf the White rose from the trials and tribulations of his former self, so too does the DRRO rise to meet the challenges of the modern era, guiding organizations toward a future of resilience and prosperity.
The journey from CISO to DRRO is not merely a change in title; it is a profound transformation in purpose, responsibility, and vision. It is a journey that every organization must embark upon to thrive in an increasingly complex and interconnected world. The death of the CISO is not an end but a new beginning, a rebirth into a role that is more vital and encompassing than ever before.
Michael, a great article.
The article describes the role of an effective CISO. The adoption of a standards framework such as NIST 800-53 includes requirements for both contingency planning and incident response which support business continuity and resiliency. Not seeing the need for a title change – but more of a case to ensure organizations and security practitioners take a wider view of their objectives.
As always, Michael surprises us with another visionary text. Thanks!
Interesting. In the late 1990’s and into 2003 I was the CISO at ABN AMRO North America. I had a boss that supported me so we achieved a great deal. Reporting to me were IT security functions for all platforms including engineering, application security and all user Ids, Network Security Engineering and Implementation,/Monitoring/Pen Testing, Physical Security for all IT environments, Disaster Recovery (IT) plan development and testing, Business Continuity Plan development facilitation and testing support, Disaster and Business Continuity Declaration Coordination and Process Facilitation, National Policies and Standards Development, International Technology and Business Policies and Standards Committees, Internal/External/Regulatory IT Audit Facilitation, IT Risk Assessment, IT and Business Security Training, and IT Security Contract and Vendor Management, as well as, managing a large budget. I had the best management team; we developed this entire program and had it running smoothly in two years. I am hoping this “new thing” isn’t just a title change; I cannot imagine anything else being in that group!
Something to ponder seriously. I agree with you in that the OG terminology of CISO has been diluted – it’s Chief in the name only, yet CISOs are expected to be a unicorn, a meister in every business aspect. The re-birth name should stay away from this notion. I am still pondering …