The CISO is a risk management professional

Rachael Bolton

It seems like only a few years ago we were still having the conversation about whether the Chief Technology Officer should sit inside the C-suite. When we look back now, the wisdom of that cultural shift – the embrace of the CTO – is obvious.

But with cyberattacks widely believed to be the single biggest threat to business in 2022, now is the time for the next frontier in the evolution of the C-suite, and to elevate the role of Chief Information Security Officer to something alongside the Chief Financial Officer, Mimecast Asia-Pacific vice-president Nick Lennon said.

Nick Lennon
Mimecast country manager Nick Lennon

He said that uncertainty breeds insecurity. In times of upheaval, the volume and sophistication of cyberattacks increases.

“This is an election year, so expect an increase in [cybercrime] activity. These are the types of events that have created waves of cybersecurity incidents in the past. At the start of COVID we saw a real spike, and we’ll likely see the same with the current conflict unfolding in Europe,” Mr Lennon said.

Companies that were already ‘tech forward’ have fared far better over the last two years than companies that were less committed to digital transformation and more reliant on legacy systems.

Mr Lennon said that the regulatory environment around cybersecurity has also rapidly matured. The language and practice of risk management is much more prevalent in cybersecurity now than it was even a few years ago.

“What that means for the CISO is that they’re no longer the specialist technology and security stakeholder,” Mr Lennon said.

“They’ve now progressed as a business leader. We’ve seen a lot of risk and governance orientated professionals that have entered the organisation or entered the C-suite as the CISO. And they’ve got a very different background, looking at financial risks, governance and business risk.

“What we’re seeing is that the CISO is now far more a risk professional or risk leader.”

Mr Lennon said that the elevation of the CISO role also relates heavily to the increased risk management and reporting responsibilities that stem from the introduction of the APRA prudential standard CPS 234 back in 2019.

This standard pertains to information security risk management and requires a clearly defined responsibility for reporting not only to the board and audit committees, but to APRA itself. That is a critical change.

The Critical National Infrastructure Act and the Ransomware Action Plan are two pieces of legislation with strict reporting requirements, that will also drive the CISO into the upper echelons of executive management.

It’s not so much a battle for the importance of cybersecurity to be recognised by the board anymore. Companies are being compelled to invest, and to invest well in a higher calibre of CISO, either through recruitment or training.

“That investment in cybersecurity executive leadership is closing the gap between the board conversation and the security leader,” Mr Lennon said.

What it does mean is that candidates with training in risk management, cyber security and proven leadership abilities are in high demand.

“We don’t have enough security professionals,” Mr Lennon said. “That’s been called out and has been a problem for the last four or five years.

“And now, with the need to move that skill set from being a specialist in technology to being a specialist in understanding business risk and connecting technology requirements back to business risk – that’s definitely a challenge.”

He said that on top of the challenge of finding this rare gem of a candidate, the average tenure for a CISO is only two-years. Burn-out is a huge problem in this role.

It’s hard to offer good working conditions when we’re operating in an environment that demands 24/7 protection from attack whilst the frequency of attack grows year-on-year without any end in sight.

“Cybersecurity incidents tend to follow real world events,” Mr Lennon said.

“With the world in a state of ongoing geopolitical turmoil, with the Federal election required to take place by the end of May this year, and with the ongoing threat of COVID keeping the population on edge, one thing’s for sure: the CISO is going to be working hard in 2022.”

This article was produced in partnership with Mimecast. Nick Lennon is a member of the InnovationAus Leadership Council.

Do you know more? Contact James Riley via Email.

Leave a Comment

Related stories