Cindi Carter, Field CISO West at Check Point, and Pete Nicoletti, Field CISO East at Check Point, recently advanced the following discussion at Check Point’s flagship event, CPX 2024.

The evolving CISO role is an important and interesting topic in cyber security, which is why we’re empowering you with foundational, value-driven perspectives here. Elevate your cyber security organization with first-hand guidance from those at the forefront of innovation and excellence.

In an age of digital transformation, the role of the Chief Information Security Officer (CISO) has undergone and is still undergoing a profound evolution. No longer confined to technical risk mitigation, today’s CISOs must be strategic business partners, skilled communicators, and catalysts of cultural change within their organizations.

A recent industry panel at the influential CPX 2024 conference in Las Vegas shed light on the shifting demands facing security leaders. As Dan Creed, CISO at Allegiant Travel Company, stated, “Ask SolarWinds what the consequences are…” for CISOs who fail to effectively communicate security priorities to the broader business.

The expanding attack surface

The root of this challenge lies in the expanding attack surface brought about by digital transformation. While past breaches often stemmed from vulnerabilities in corporate infrastructure, the greatest risks now emanate from employee devices and cloud-based services. As IT has transitioned from a cost center to a revenue driver, CISOs must integrate with lines of business and advise on strategic decisions.

IDC’s survey of 847 cyber security leaders reflects this shift, with only 12% citing technical skills as the most important CISO attribute. Instead, respondents highlighted leadership, team-building, and business management as the critical competencies.

“The consequence of not establishing those relationships [is] you get a culture at the company of ‘Well, it’s not my responsibility,'” one CISO warned, echoing the experiences of organizations like SolarWinds and MGM, where security lapses occurred due to a lack of security awareness and ownership among employees.

Fostering a security-aware culture

Successful CISOs are addressing the security awareness challenge by adopting a more user-centric approach, making security transparent and easy to use. As Pete Nicoletti, Field CISO at Check Point, explained, “Security should lubricate business and make it faster.” This could mean streamlining cumbersome VPN processes or transitioning to passwordless authentication.

Some CISOs are even experimenting with financial incentives, tying security culture metrics to bonus pools. “If your department does better, it increases your bonus pool above the norm […] and if you don’t, then it hits your bonus.”

Cultivating C-suite partnerships

CISOs must also cultivate stronger partnerships with their C-suite counterparts. IDC’s survey revealed discrepancies in how CISOs and CIOs perceive the CISO’s role, underscoring the need for better alignment.

Creed recounted a recent example where the Allegiant Travel board made decisions about connected aircraft without involving the CISO, leading to a last-minute “fire drill” to address cyber security requirements. “Do you think the board, when they first started talking of going down this path of ‘we’re going to expand the fleet’, considered that there might be security implications in that?” he asked.

Educating executives on security risks

To bridge this gap, CISOs must proactively educate executives on the business implications of security risks and advocate for a seat at the strategic decision-making table. As Russ Trainor, Senior Vice President of IT at the Denver Broncos, suggested, “Sometimes I’ll forward news of the breaches over to my CFO: here’s how much data was exfiltrated, here’s how much we think it cost. Those things tend to hit home.”

The evolving CISO role demands a delicate balance of technical expertise, business acumen, and communication prowess. CISOs who master these skills will not only mitigate cyber threats, but also position themselves as indispensable partners in driving their organizations’ digital transformation and growth.

“A lot of CISOs are rather gun-shy; hesitant to talk to the business about cyber security. Do better in trying to foster that human connection,” says CISO Cindi Carter.

For more insights like this, please see CyberTalk.org’s past coverage. Lastly, to receive cutting-edge cyber insights, groundbreaking research and emerging threat analyses each week, subscribe to the CyberTalk.org newsletter.