In Episode 7 of our Security Leaders Perspectives series, security leaders describe how the role of the security professional or CISO has evolved during their time in the industry.
Security is Everyone’s Job – Chris Carlson
“More organizations are realizing that security isn’t an optional add-on to an IT organization.”
In the past, security was seen as one of the functions of the IT department. Over time, companies have realized that the responsibility for security lies with the entire organization. Effective security requires security professionals to reach out and share knowledge with the rest of the company and other employees to actively participate in keeping the organization safe.
Cybersecurity Becomes a Focus – Benjamin Corll
“There is now a seat at the table for security. This is a topic that is being talked about by every board. It’s being talked about by every executive team.”
In the past, the IT person was also the security person, there was no focus on security by itself. Now, security is a Top 10 concern for executives and board members. Today, businesses understand the need for cybersecurity, and the focus is on finding and retaining security specialists to meet the company’s needs.
Becoming a Business Leader – Larry Trittschuh
“There’s this constant elevation of the role to becoming a business and risk leader versus a technology or security leader.”
In the beginning, cybersecurity leadership was typically a technology leader that was buried somewhere in the organization. As companies have been held more accountable for their cybersecurity and it becomes a focus, this has changed rapidly. The modern cybersecurity leader is a business and risk management leader much higher up within an organization.
From Gamer to Partner – Tim Tillman
“We are now all the good guys and we’re here to help, and we’re here to provide those solutions and everyone needs us now.”
In the early days of cybersecurity, many cybersecurity professionals were seen as geeks or blackhat hackers that changed their ways. Over time, this view has changed to seeing cybersecurity professionals as trusted partners. Today, we’re seen as the good guys with solutions to problems that companies need help with.
Back Room to Boardroom – Aric Perminter
“Definitely no longer are CISOs in the shadows. They’re in the boardrooms.”
Early CISOs were hands-on experts, spending most of their time alone, protecting the organization against cyber threats. As cybersecurity became more a focus for businesses, these CISOs have come out of the shadows to explain how things work. Now, companies are specifically searching out CISOs to serve on their boards.
To Holistic Risk Management – Max Tumarison
“It’s not an IT problem anymore. It’s more of a risk function where it’s a risk and it’s basically looking at other risks holistically from the CISO point of view.”
CISOs have been moving out of the IT department into a more general, risk-focused role. This provides them with the independence needed to do their jobs and a voice at the table that is distinct from the operations focus of the IT department.
From Compliance to Risk Management – Charles Blauner
“We have finally completed the shift from people thinking about this as a compliance discipline, where the world is black and white, and now truly understand that this is a risk management discipline, and it’s all about shades of gray.”
Cybersecurity programs started out focused on checking the boxes to achieve and maintain regulatory compliance, which has clear goals and strategies for achieving them. Now, the focus is on risk management, where everything is shades of gray.