Ramón Serres is an Industrial Engineer who has led and transformed the Information Security function in the last 8 years in ALMIRALL, a medical dermatology leader in the pharmaceutical industry. He has an extensive background as an IT manager and has worked in several industries from consulting services to consumer goods and the pharmaceutical industry.
The CISO Role: What to Expect and How to Stay Relevant
The CISO role is heterogeneously implemented across businesses and organizations. Its definition and organizational positioning depend to a great extent on the size and maturity of the business and organization, and its risk exposure, that is, to what extent critical or sensitive information may be at risk due to cyber-security threats, or to what extent critical business processes and operations are at risk. On top of all those factors, I would add that it also depends on what vision have the CISO and the C-level for the information security function.
That said, the context is evolving for everybody, and as such, has to evolve the CISO role to stay relevant or, at least, to stay as relevant as it ought to in line with the current and future needs of that organization in particular.
Many things change in our context, but let us point at four of them that are quite different versus the
- The IT landscapes are changing the ratio between traditional on-premise infrastructure versus cloud infrastructure. This is a short headline that entails a whole set of different requirements in terms of governance (not only IT governance but also, more holistically, enterprise governance), and risk management.
- Businesses are pushing towards creating new business models that leverage technology in new ways, where data and processes flow from one system to another, amongst devices, departments, and organizations, breaking all barriers. This is a non-stop trend because, at the end of the day, it has become a matter of survival, business sustainability and continuity depend on getting on that train.
- Technology itself is changing— both business technologies and security technologies.
- The professional profiles approaching our organizations nowadays come with different skill- sets and new motivations. They can not be treated the same way as former generations, they can not be developed in the same way, and they have different needs that leaders must understand and act accordingly to.
- New collaboration models across departments and organizations, triggered by the collaboration tools and the digital transformation entail the need to understand the related risks and opportunities and how they can be managed.
Risk management and security maturity frameworks were designed in rather fixed environments. We have to make sure these frameworks, even though they tend to be flexible and general in their principles, still work in the changing environments we are going through, where for example, your exposed infrastructure in the cloud changes overnight in a dynamic way. Are you sure your risk reporting is accurate and a good picture of your business risk position?
Staying updated on the changing and new technologies requires time. CISOs have to devote time to staying updated, sometimes getting hands-on to fully understand how technologies work and how they can be leveraged by a business. This requires striking the right balance between understanding technology and understanding how technology can enable and protect the business. Failing to strike the right balance may drive you away from an updated business understanding which is crucial to be risk-oriented, ultimately turning the CISO position into a technology-oriented role. Are you devoting the right time to staying updated?
Noise, noise, and noise. A lot of information regarding cyber threats and technologies is flowing into organizations via email and social networks, targeting CISOs, IT communities, and even business leaders. The CISO is supposed to filter what is relevant and what isn’t. And business leaders expect CISOs to play that role. Are you helping your Top Directors to distinguish what is relevant?
Conclusion & Areas to Focus
Business understanding is a constantly evolving challenge because businesses evolve, and therefore the security function must keep up.
Stay ahead of risks, keep an eye on innovation to manage risks, as well as business innovation that can be translation into risks.
Organizational positioning is crucial for many reasons, and even if you have achieved this organizational positioning, it may deteriorate over time. Why is organizational positioning crucial? In a nutshell: to keep updated on where the business is heading, to ensure independence when it comes to alerting on risks, to be empowered to push implementation of security controls that are relevant to maintain risks at acceptable levels.
Never forget that leading and managing the Information Security function demands constant focus on the classical triangle— organization and people, technology, and processes. Too often we see CISOs who do not spin these three plates but concentrate on the technology one.
Be pragmatic, always pragmatic.