With technology and the risks associated with it evolving at a rapid pace, businesses are looking not only for IT expertise in the C-suite, but also business savvy.
With technology and the risks associated with it evolving at a rapid pace, businesses are looking not only for IT expertise in the C-suite, but also business savvy.
Jack Gulas, an adviser to local compliance firm GRC Concierge, told OBJ on Monday that the role of chief information officer is slowly disappearing as more executives look for information security people who can also provide strategic business advice.
Over the next five years, Gulas said he expects the role of the CISO — or chief information security officer — to become a staple in boardrooms across the country.
OBJ spoke with Gulas to break down the rise of the CISO, why growing companies need more strategically minded IT people, and the challenges of finding leaders who fit the bill.
This transcript has been edited for length and clarity.
What is a CISO?
For a long time, everybody was on-premises. You had your security around your on-premise equipment — your VPNs, your firewalls, the network technology organization — responsible for all that infrastructure. So database manager, application manager, architect, infrastructure manager and security were all under that chief information officer role. That was all about creating that moat around your castle and keeping your assets protected.
Now, everyone has moved to the cloud. People are using all the cloud resources and this is where compliance frameworks started appearing in a big way. If you're in health care, HIPAA is an example. When all this data primarily goes to the public cloud, you're no longer responsible for building and managing these systems. So security morphed into requirements around the strategic planning of the business. You start thinking: Where do we do business? Who are our customers? How big are they? How are our product features being built?
The security component used to report in through the CIO, but now the chief information security officer role has emerged. A lot of CIOs transitioned into those roles but you're also finding a lot of people with non-IT security backgrounds that understand compliance and GRC, or governance, risk and compliance.
What are the main differences between a CISO and a CIO?
The CIO is a lot more day-to-day management, like cost management, resource sourcing, keeping up with the demands of the business so they can provide IT resources for projects.
The CISO is a lot more strategic, so it has a lot more visibility across the entire enterprise on where the business direction is going, as well as governance, risk and compliance. It's more of a proactive role, opposed to the CIO, which was more of a reactionary one. The example I give is if a company says it wants to enter a new market and asks, ‘Can we expand into Europe?’ Well, these compliance requirements emerge based on those geographies that you may want to enter. So if you start expanding, you start capturing different types of information. If you're in a specific market, like health care, can the new function we're introducing pass HIPAA, which is a medical framework? The CISO sits at the table and talks about the strategy around that.
They should have an IT background. I think that that's important, because there's a lot of cloud engineering services involved. But they should also be very familiar and work at the business level to understand where things are going. It's a much more strategy-enabling role, in my opinion, compared to the CIO, which was more about managing the operations and the cost.
What are the challenges of finding people with the skillset to fit the CISO role?
Having the IT background to understand how these systems integrate and how they can integrate moving forward is important because a lot of the large enterprises are still transitioning or modernizing from an on-premise to a cloud-based system. There are a lot of moving parts happening at the same time. But you also need to get people who are much more savvy in the business and can speak to it because then you're understanding where you’re taking security risks and rewards for some of those business decisions.
They could come from a security or an audit background. They could understand the frameworks and the structure of compliance and controls. A lot of them have an accounting background or experience in the domain that the business is in, whether that’s manufacturing or health care or defence. But what a lot of those people would not have is the IT background. The IT folks, they probably have a cybersecurity background but not a lot of exposure to speaking to the business and the domain that the business is in. Traditionally, IT is more isolated because they're reacting and doing more operations on IT systems.
That's why the CISO role is emerging. Both sides have something to contribute. It's definitely an exciting role and an enabler for the business and very important for a lot of the CEOs to have strong CISOs as part of their C-suite.
What does that mean for how companies train people in their talent pipeline?
I think it's sort of that 360-degree view. Folks with financial backgrounds, audit and risk backgrounds would be great but I think to keep that 360-degree view you would have to give them some form of technology understanding — about IT tools, corporate enterprise architecture, and more tech-savvy. That would be what I recommend. There's a bunch of other things to factor in like AI, for example, and automation. When you’re using a lot of technology, (the CISO needs to know) what the risks could be. What does that mean? How are those tools being used inside of your business? That's why I think the CISO role is really emerging as the blend of both of those things: the traditional security, audit, risk background, and then also with the tech-savvy.
What does the increased demand for CISOs say about businesses’ cybersecurity awareness?
Awareness has changed a lot. I mean, it seems to be popular for organizations, depending on their size, to look for fractional support from a CISO. The GRC Concierge team offers fractional CISO service, which they call vCISO, meaning virtual. It's so common here that it really speaks to the fact that the industry has adopted this. And it’s really popular as a fractional role because some companies may not be able to justify a full-time employee but they need (a CISO) in some very important moments if there’s some seasonal aspect to their business or up-times and down-times. When they're busy, they may look for that expertise around strategy and planning. I think fast-forward five years from now, most large organizations will have a CISO defined and under them and a risk team that will be very prominently positioned within the organization.
How does a business know if they should be considering a CISO?
Compliance is what will really drive it and it won’t really be a surprise. Compliance at first may feel like, oh, we just need to do this checkbox exercise to get compliance. But what happens is that compliance forces you as an organization to really reflect on your policies, and policies lead to controls, and then controls lead to evidence-gathering, and these policies and controls affect the tools that you use and the processes that you have within your organization. It starts you really questioning your security posture. What are we doing to look like we're secure for the stakeholders or internal employees or customers or suppliers?
What otherwise starts as a bit of a checklist exercise you start realizing that a lot of strategy is involved. So learning or getting someone to explain some of the considerations as you make these strategic decisions is where you get into this. Who can help me think through that policy and help me think through the architecture that I have or the product that I am selling to the market and some of the decisions I make on how I consider those particular systems? That's where you have somebody on the team that can provide input on that. And so this is where I think you’ll hear more and more about CISO support.
Anything else to add?
Lots of organizations are now being asked to use numerous frameworks so even that becomes a strategy of creating a roadmap of which frameworks you may want in which order. Some have overlap, like 80 per cent of what you do for one could be applicable to the other. But again, that impacts policies and controls. You also don't want to stifle the business. You still have to make money, you have to pay the bills, you have to make a profit and pay shareholders and employees and all that good stuff. So even having that plan on the frameworks as it relates to global strategy for business is pretty important. 
