Three Types of CISOs—And Which To Strive To Be
The role of CISO is evolving & expanding in order to help businesses meet their strategic goals.
Security is in his job title, but Steve Zalewski, CISO at Levi Strauss & Co., sees the focus of his job more broadly: it’s about protecting the business.
“That alternative way of thinking just really opens up your mind to get out of the traditional security box,” Zalewski said on The Grailcast.
Although the Chief Information Security Officer (CISO) role is ubiquitous at large companies today, the position has existed for less than 30 years. During that time, the CISO role has evolved from a narrow focus on IT security to a broader understanding of mitigating cyber risk. Right now, Zalewski says, the position is undergoing another transformation, as CISOs embrace a holistic model of protecting a business, enabling it to function at the highest possible level.
Three Approaches to The Job
During a private lunch and learn talk at DataGrail, Zalewski outlined the three types of CISOs:
- The Technical CISO. The first type of CISO draws heavily upon his IT background. He defines success using measurements, focusing on what’s efficient and effective at preventing breaches. He dictates business policies and outlines security protocols. When something goes wrong, he focuses on the people who made missteps rather than evaluating the policy.
- The Cyber Risk CISO. The second type of CISO sees cyber security as a value proposition that can help protect the brand. She knows that secure supply chains can help the business reach its ultimate goal, so she’s focused on preventing, mitigating, and containing any breaches that could interfere with profitability.
- The Business Risk CISO. The third generation CISO role – which Zalewski says only about 10% of CISOs are in today – is focused on a holistic approach to business risk. This CISO integrates security throughout the business ecosystem. Rather than demanding compliance, this CISO strives to build systems that align with the existing business processes and talent.
Security Within An Ever-Expanding Ecosystem
Before the pandemic, most people thought their digital lives were saturated, but even more facets of life–including school and healthcare–have gone online in the past eighteen months. The digital ecosystem has become more extensive and increasingly complex, with companies often relying on third parties and partners to present seamless service to customers.
Data flows not only from users to a business but also within the business. Even during a simple transaction like checking out for retail purchases, data is pushed to dozens of integrations and applications in hopes of up-selling the customer.
The third generation CISO operates within this ecosystem, providing privacy and security to all parties in order to build trust. Zalewski’s main objective is to help Levi sell more jeans. That singular mission means providing security to customers, employees, suppliers, and the global supply chain of goods and information. All of that taken together is what protects the brand and ultimately boosts the bottom line.
Developing Comprehensive Solutions to Enable Business
A skilled CISO understands a company’s strategic goals and builds security systems to enable the business to thrive. This is a shift in thinking about the role: A CISO is no longer focused primarily on compliance but rather on crafting systems that elevate and optimize a business while meeting or exceeding compliance mandates.
Many CISOs find it challenging to have the company’s leadership view them as a c-suite partner rather than a necessary evil. However, results speak for themselves. Dynamic CISOs can strengthen a business by:
- Providing company innovators the space to experiment without security protocols that are a hindrance to creativity or problem-solving.
- Streamlining security to allow faster integration of new business capabilities.
- Introducing and exploring revenue potential from data.
The demands on—and resources available too—CISOs are constantly evolving. It’s becoming clear that a skilled CISO is among the most critical players to help a business establish trust, strengthen its brand, and reach its strategic goals.
Resources and Additional Reading:
- Steve Zalewski’s GrailCast
- The Institute of World Politics: Evolution of the Chief Information Security Officer
- ThreatPost: The Evolving Role of the CISO
- CPO Magazine: The Evolving CISO: From Naysayer to Enabler