The Emergence of the Strategic Chief Information Security Officer (CISO) and Their Role in Risk Management

Redefining a CISO’s role and best practices for holistic data security management

An ever-evolving digital ecosystem is an invitation for newer variants of cyberthreats. The threats are mutating, as attackers have become more sophisticated and skilled with time, and are finding newer ways to breach security. 

In 2020 alone, 6.95 million new phishing and scam pages were created, with the highest number of new phishing and scam sites in one month of 206,310. And as per the 2021 State of Phishing & Online Fraud Annual Report, the key drivers for phishing and fraud were COVID-19, remote work, and technology. The need for robust security protocols and newer risk mitigation practices is evolving the role of the Chief Information Security Officer (CISO).

Formerly, the role of CISO was to monitor and investigate the potential security risks in the system. CISOs reported into CIO roles which made their responsibility confined to specific technical security procedures. Today, CISOs must branch out to take up additional responsibilities that need more than just technical expertise. But now with changing times, the role of the CISO is to ensure holistic security related to business challenges and not just technical ones. They must have strong business acumen, market intelligence, leadership, and communication skills. 

If you look closely, CISO and CIO roles may appear similar, but organizational cyber security needs to differ based on its products, services, processes, market, and many other factors. This takes the role of CISO to a whole new level adding multiple functions under the umbrella. CISOs have a more enlarged role in managing an organization’s overall security health, which largely involves data security. The modern CISO needs to take care of securing not only the smooth running of the present-day applications & processes but also the future applications and business operations, all while ensuring the continuous availability of business services, no downtime, and minimum to zero customer distress.

Recently Data Dynamics’ CTO, Helen Johnson, was in a conversation with Jeff Brown, CISO, State of Connecticut. In this conversation, Helen and Jeff discussed the evolution of the CISO and various facets of their role to ensure maximum data security in an organization. Jeff comes from the private banking sector with over 25 years of experience and has now taken over the role of CISO for the public sector. He highlighted some of the key differences in the present-day CISO role in the private financial sector and public sectors. Let’s dive right into the conversation and dig for meaningful insights.

Difference of role as a CISO for a private banking sector as compared to a public sector:

The primary role of the CISO in either of the sectors remains data security and communication.     However, transparency and openness when it comes to sharing of ideas are more prevalent in the public sector. Whereas, in the private sector the environment is competitive and conservative where CISOs of different enterprises are reluctant in sharing information. Another key difference is how frequently the security assessments are done in the case of financial services, assessment reports are created on a quarter-to-quarter basis whereas in the public sector it may differ from org to org. The security operations in the public sector are related to mission-critical events that help a city run effectively whereas in the private sector it is more about organizational security and high-risk impacts. Both sectors struggle to retain talent and attract new skilled ones while managing a huge evolving technology stack. Having said all this, serving a public sector in any capacity whether it’s federal or state, or local it’s very rewarding.

Evolution of the role of CISO and the major difference: Now and before:           

With the increasing use of digital technologies in day-to-day operations, there is a rise in data breaches, ransomware, risk of intrusion, and more. Let’s face it the industry is evolving and so are hackers. They too have implemented better technology to execute breaches. CISOs who were primitively focussed on just conventional data information security were more reactive and focused on remediation. Today they need to be more proactive and focus on streamlining their risk management processes, centralizing them, identifying the loopholes in their system, and fixing them much in advance to avoid a future breach. This entails robust security operations, cyber intelligence, data loss & fraud protection, building a security architecture, identity, and access management, program management, investigations and forensics, governance, and communication. 

At the onset, there is a need to be a Strategic CISO as opposed to a Technical one. There is a missing piece of strategic alignment between the security organization and the business that he must bridge. In fact, a Deloitte study found that 46% of CISOs struggle with this proposition. It is critical for a CISO to get more involved and engaged with the business goals and needs. He must understand the leadership’s business strategy, develop a more inclusive information security plan that is also measurable, and communicate honestly and transparently with leaders and the business. It’s time CISOs recognize that cybersecurity risk is a business risk, not just an IT problem. 

The measures taken by the state of Connecticut to protect the personal data of the citizens as the systems are consolidated in this new digital government initiative:

The Digital revolution is in vogue in the public sector. McKinsey has estimated that the world’s governments could save $3.5 trillion per year by 2021 if they match the productivity gains leading countries have made in four functions, two of which are digital technology and data analytics. Jeff makes it very clear that in the public sector, data is treated as a liability and role-based accesses are given only to the right set of people, otherwise the data is masked and encrypted. Additional measures are taken to protect healthcare data. The other key considerations before working with third-party vendors are protection against ransomware, backup, and compliance.

The process of ensuring the right security partner:

Cooperation and communication are the two most important success factors for a sound security strategy. This means working with the right third-party vendors for ensuring a resilient defense system that can sustain any attacks or breaches. This calls for the selection of the right data security vendor and is a tedious process. It requires ensuring the vendor has a sturdy reporting policy in case of any breach or attack and the ability to optimally communicate the same once the incident is logged. They must be compliant and have stringent regulations and policies when it comes to data protection. Their backup & disaster recovery plan must be robust and must ensure business continuity in all respects. 

Data management in the public sector: Understanding the data, where it is stored, who has access to it, and how better can it be protected.

When it comes to storing public data, data categorization becomes very important. Communication with the respective stakeholders and in-depth analysis of the data stored is critical to make sure the right data is protected and business-critical data is protected on priority. In addition, pre-empting attack scenarios and devising ways to tackle them can secure organizations from any form of breaches and intrusions. It’s imperative to be prepared and mitigate them without any downtime, business loss, or customer distress. 

Top eight cybersecurity best practices recommended by Jeff Brown, CISO, State of Connecticut:

  1. Ensure holistic security without any downtime
  2. Know your data, its sources, its destinations, and classify it well 
  3. Deploy role-based access and multi-factor authentication
  4. Implement zero trust principle for robust defense system
  5. Have open communication and cooperation with stakeholders      
  6. CISOs must have good business, communication, and leadership skills on top of technical skills
  7. Ensure end-to-end protection of not just the running applications but also the future applications
  8. Monitor third-party vendors and their partners to ensure the right people have access to your data

Harnessing the power of digital processes in the right manner can help increase organizational productivity while preparing the business for any future attacks and keeping its immunity intact. For more amazing insights, tune in to the webcast and access the entire conversation between Helen and Jeff. For more information contact or click here to book a meeting.

Explore more insights