The Evolution of CISO Strategies

How has the CISO role changed through the years?

Charles Darwin wrote in 1859 and introduced the concept that organisms arise and develop through the natural selection of small, inherited variations that increase the individual's ability to compete, survive, and reproduce.

The concept of evolution isn’t just appropriate to one belief in human development, it is also representative of the stages of growth that happen across other organisms as well. While IT security is a significantly younger field than human evolution, it has stages of growth as well that we can analyse and learn from.

IT Security Roles

IT security is not just a “one-person” job. SecurityWizardry.com has identified 33 distinct security roles inside the enterprise today. From Intrusion Detection Specialist to Security Architect to Information Security Director to Chief Information Security Officer (CISO), salaries can range from tens of thousands to hundreds of thousands annually. While the buck stops at the CISO, it important to recognise that this prestigious role has evolved over time into what it is today.

The Five CISO Stages

The role of CISO and corresponding strategies have evolved significantly since its introduction in 1995. A recent article in DarkReading, with “The 5 Stages of CISO Success, Past & Future”, offers these five stages of CISO evolution over the last 29 years:

1. Limited Security = Login & Password (First CISO): Pre-2000, this era was relegated to only provide logon access and authorisation to files. Unfortunately, a major breach precipitated the first ever CISO being named. This also set the stage for a shift to more regulations being instituted to protect the average company and consumer.

2. Regulatory Compliance Era CISO: From 2000-2004, this era was marked by the passage of a plethora of new laws addressing privacy and security in the healthcare, government, and financial sectors. Resources were mobilised to "check the box" for security compliance, typically adhering to a set of controls defined by ISO27001/2 or COBIT.

3. Risk-Oriented CISO: From 2004-2008, this era was focused on setting new expectations because organisations could not afford to secure all the information equally. Moving to a risk-based approach facilitated allocation of funds to more critical assets and a better use of people, process, and technology. This also provided an inroad to corporate risk management and enabled a conversation of information security risk along with other organisational risks.

4. Threat-Aware Cybersecurity, Socially-Mobile-Cloud CISO: From 2008-2016, this era led CISOs to being more open to new technologies. Shadow IT projects for new technologies were being implemented at the department level, such as the introduction of social media on a mass scale, a smartphone in every pocket, consumerisation of technology and migration to the cloud. This required the CISO to better understand the threat landscape and prepare accordingly.

5. The Privacy and Data Aware CISO: From 2016-present (and possibly up to 2020), this era represents the CISO’s understanding that several major incidents involving the theft and misuse of credentials has given rise to an increased focus on privacy. effective May 2018, also increases the visibility of data protection through the introduction of substantial fines as much as 4% of annual revenue.

A New Strategy To Consider

A truism we have written about often is that prevention is always superior to remediation as the CISO’s prime responsibility. Choosing only solutions that evaluate every line of code, making well documented evasion techniques ineffective, while being agnostic to file type, client-side application type or the client operating system used within the organisation is the superior technology selection criteria. Selected solutions should provide protection regardless of operating system, CPU architecture, and function (client, server) of the targeted machine.