More and more expected of U.S. chief information security officers: Deloitte

Chief information security officers (CISOs) in the United States report experiencing growing pressure to protect critical information and infrastructure assets in the wake of escalating cyber threats and increasingly complex regulatory mandates, Deloitte reports.

Adding to the pressure of protecting critical information is the expectation of CISOs – even those new to the job – embracing strategic business initiatives to integrate a comprehensive enterprise approach to cyber security, notes a statement Wednesday issued by Deloitte, which provides audit and enterprise risk services.

“As organizations realize that cyber risk is intimately linked to their innovation and growth strategies, expectations of CISOs are changing dramatically,” Ed Powers, principal, Deloitte & Touche LLP and U.S. leader of cyber risk services, says in the statement. An effective CISO “must understand how strategic initiatives create risks and develop security programs that balance the need to drive business performance with the growing realities and complexities of protecting customers, intellectual property and brand,” Powers adds.

Deloitte responded by last year developing the CISO Transition Lab, an immersive one-day workshop that “allows a newly appointed or incumbent CISO to step out of their daily work to take a fresh look at their function,” the statement notes. More than 25 labs have since been conducted.

Lab findings reveal that the highest priority for 77% of participants is to promote better integration of business and information security strategies, followed by improvement of data governance and protection, Deloitte reports. Improvements in the areas of security program governance and talent management are also named as key priorities, the statement adds. [click image below to enlarge]

Deloitte notes that common challenges shared by new CISOs include a lack of resources and effective team structure, ineffective communications/reporting among stakeholders and throughout the organization, inadequate governance, including overall strategy and processes, a lack of support or trust from executive leadership and stakeholders, and insufficient funding.

The lab introduces the four faces of the CISO framework – strategist, advisor, guardian and technologist. “The CISO role requires a balanced focus across four faces that enables the enterprise security function to maximize the value delivered to the organization,” the statement notes.

Lab findings indicate that, on average, CISOs today spend 77% of their time as “technologists” and “guardians” on technical aspects of their positions, and that they would like to reduce this investment to 35%. “This demonstrates a recognizable shift in their desire to place greater emphasis on the ‘strategist’ and ‘advisor’ functions,” Deloitte adds.