author photo
By Bruce Sussman
Thu | Dec 20, 2018 | 8:45 AM PST

What is the role of the CISO? Where should a Chief Information Security Officer focus as we head into a new year?

That question has been asked for a while now.

However, the answer has changed over the last few years, as we've interviewed security leaders at SecureWorld gatherings across the U.S.

And what really got us thinking about the six top roles of the CISO is an interview we read recently, featuring with Starbucks' CISO Dave Estlick.

So we'll start there.

6 roles of a CISO according to security leadership

1. CISOs protect the brand 

Dave Estlick, CISO at Starbucks: "My mission statement at the security department is brand protection. It’s a foundational element in the decisions we make," he tells WSJ.com

2. Business enablement

Jimmy Sanders, VP of Information Security at Netflix DVD: “My job is to ensure that our security maintains the culture and the vision of our origins. Our culture is based on two aspects, called freedom and responsibility. We will give developers, we will give engineers, we’ll give different practitioners the freedom to do what they want to do. But it is their responsibility to do it to a certain standard. And so my security tools have to be in lockstep with that. My tools can’t block them from the freedom that is a core tenant of Netflix,” Sanders tells SecureWorldExpo.com—watch our interview with Sanders for more: 

3. CISOs are communicators

We interviewed U.S. Bank CISO Jason Witty at the SecureWorld Twin Cities conference: "You really have to think about your role as communications, that’s a very very large part of it. And you’ve got to be really, really good at the translation of whatever that technical thing is to a risk, that a board member could understand or the CEO could understand. It’s just like any other business risk; here’s the probability of this risk happening, here’s the impact if it did. Context and implications are the two most important words. But it’s really just recognizing it’s a business problem; you have to present it as a business problem, and then that will help you get the funding you need, the staffing you need, the speed to close down that risk and the support to have that speed."

4. CISOs are coaching the business

Renowned researcher Dr. Larry Ponemon tells SecureWorld that his research shows this change in the CISO role: "CISOs are shifting into a coaching role. Lines of business are taking on more responsibility for the risk, and so we're seeing more CISOs go from holding all the risk to becoming more like a coach, helping all lines of business to understand the things that need to be done to ensure cybersecurity."

5. CISOs are relationship builders

George Finney, Chief Security Officer at Southern Methodist University, shared this at SecureWorld Dallas:  "The times that I think I've been successful in security are the times when I've built that relationship over months and years and I see that come to fruition during an incident or I see how they've influenced their department because of a conversation we've had. The special part of being a Chief Security Officer is really being able to work with people, connect, and make the organization better."

See the rest of our interview with CSO George Finney:  

6. CISOs understand what's most valuable to the business

James Waters, Global CISO at Black & Veatch, told us at SecureWorld Kansas City: "That core information, that intellectual property that businesses collect, ferment and use throughout the course of its business that really keeps a business alive. Because if it's just out there in the ether and everyone has it, then everyone becomes a competitor. Helping protect that is something I'm really fascinated with."

So there you have it: Six primary roles of the CISO according to Chief Information Security Officers themselves. 

In a follow up article, we'll look at six more roles of a CISO, based on our interviews this year. So keep your eyes open for that one!

Comments