The best CISOs are those involved with transformation and using the current pandemic situation to establish new ideas and strategies.
Speaking on a virtual panel led by panel chair Ed Amoroso, founder and CEO of TAG Cyber and featuring speakers from HP and other companies, Charles Blauner, partner and CISO in Residence at Team8, said he felt the best CISOs are operating within organizations where they are business leaders.
Blauner said, despite the COVID-19 pandemic, he felt nothing had changed for the CISO from the daily job of being responsible for critical assets and protecting them irrespective of where they may be, whilst everything else in their world has changed. “Which assets were valuable and where they are accessed from is different from a year ago, and I don’t think it ever goes back to normal in the old definition,” he said.
Blauner explained that he sees budgets going down and also going up, as companies think about operational resiliency “and the really good CISOs, who understand how to build on the fact that security is such a foundational aspect of our operational resiliency, are getting it right and expanding the definition of what it means to be a CISO.”
This is not about just protecting information as it was 30 years ago, “but this is an opportunity for the good CISOs to change the nature of their relationship with their CEOs with their businesses,” he added.
“The really good CISOs think about how to leverage modern and even ancient technology to really help transform the business. The really good CISO right now is taking the opportunity to put new ideas out there, and it is the really bad CISOs that struggle to catch up with all the changes that no-one ever talked about as no-one ever thought the CISO was important.”
Also speaking on the panel was Kris Lovejoy, EY global cybersecurity leader and former CISO of IBM, who said that CISOs are often left out of the transformation process, while budgets are cut. “They are being asked to reforecast their budget and strategy in the context of new business approaches.”
However, Lovejoy said she was optimistic as in the past, she had seen organizations “buy more stuff” to deal with compliance issues, and never take anything out. “My hope is that this industry will begin to streamline and de-complex our organizations and think about security in the context of business, as opposed to how we have been considering it before,” she said.
“So I do believe that the combination of large scale breaches, ransomware attacks and the requirements which are getting the mindshare of the executives, along with top down pressure plus the bottom up pressure to rationalize, will result in a meeting in the middle that is going to institutionally change our approach to cyber.”
Asked by Amoroso if she felt CISOs are up to that challenge, she said she is seeing this and she had some hope in that CISOs are “more business aligned and transformational in nature” and she felt that their pragmatism and business alignment is going to prepare them in future.