CIO-CISO partnership , Customer Experience , CXO / IT Leadership
Gartner Defines New Technology Leadership Archetypes - Part 2
CISO-CIO Partnership Vital for Digital Transformation and Customer ExperienceThe surge in cyberattacks during the COVID-19 pandemic made cybersecurity a top priority for the C-suite. In fact, a 2021 Gartner What’s Next for CIOs Survey shows that cybersecurity threats are the number one thing that keeps CIOs awake at night (42% of respondents). The increase in the volume of threats caused the elevation of the CISO with new roles and responsibilities being assigned to them. Partnerships with the CIO and other business heads are imperative for driving business goals, said technology leaders and Gartner.
See Also: Business Rewards vs. Security Risks of Generative AI: Executive Panel
Technology leaders are experiencing shifts in their reporting structures and responsibilities. In Part 1 of this story, we discussed how the CIO archetypes are evolving today, with a blend of traditional CIO responsibilities and business executive responsibilities. Gartner suggests that security leaders should identify the archetype their CIOs are evolving toward and assess how their role is changing or being viewed by top management and the board.
"Regardless of how the reporting structure goes, the essence is that CISOs and CIOs are partners in making the enterprise successful," said Deepti Gopal, director analyst, security and risk management, Gartner.
Traditionally, CISOs were responsible for securing the IT infrastructure of the organization. Their responsibilities were to identify risks, deploy controls and solutions for controlling access, and protect business assets and people - backed by policy and standards to comply with regulations and laws. This continues to be their mandate. But CISO performance is also being evaluated on business executive responsibilities.
"What has changed is how the threats manifest in the enterprise. That requires cybersecurity leaders to expand the current road map by planning future organizational security investments, to prepare for high momentum threats. The long-term vision is becoming critical," Gopal said.
To do this, security leaders must have a good understanding of the business functions, operations, products, services, markets and customers.
With more digital transformation occurring in enterprises, cybersecurity leaders "are enablers of digital business" and key members "in helping the enterprise balance the associated risks and translating the opportunities or drawbacks that stem from them," Gopal said.
CISO-CIO Partnership
Introducing innovation and enhancing customer experience are critical digital business priorities that both the CISO and CIO support.
"The CISO cannot be flagged behind the curtain but has got to be in front of the curtain, assisting the CIO on cybersecurity matters," said Khushru M. Mistry, former CIO and senior vice president, Eureka Forbes Pvt. Ltd.
Conrad Dias, global chief digital transformation officer, at LOLC Holdings PLC, concurred and said the CISO has to be the "right hand" of the CIO in terms of driving business strategy. "The CISO plays a major role in the organization's digital transformation."
LOLC Holdings is a Sri Lankan conglomerate with diverse lines of businesses catering to multiple industries. Originally starting as a non-banking financial company, LOLC expanded into many sectors and subsidiaries in several countries - although it is still mainly involved in the financial sector.
Integrating security into every aspect of digital transformation initiatives is no easy feat, said Dimitri van Zantvliet, CISO of Dutch Railways.
"Both the CIO and CISO are integral members of the executive committee and participate in several steering committees. We share a direct reporting line to the CFO, making their partnership all the more critical, van Zantvliet said.
Dutch Railways, also known as Nederlandse Spoorwegen or NS, is a prominent state-owned passenger railway operator in the Netherlands that serves over a million passengers each day through its vast network of tracks.
SRM Leader Role
The security leader role has gained significance due to rising uncertainties in the business environment and a surge in cyberattacks. For instance, attacks by state actors on critical infrastructure target not only governments but also private enterprises. Consequently, the security leader's role has gravitated toward risk in the last decade, with Gartner now referring to them as security and risk management or SRM leaders.
The SRM leader supports the business by playing the role of digital enabler, business enabler and value enabler, according to Gartner.
"CISOs need to operate as influencers and enablers for executive and business leaders to make informed, high-quality decisions," Gopal said.
CISO Effectiveness
Gartner also suggests four KPIs for CISO effectiveness in the modern enterprise:
Functional Leadership: In day-to-day operations, the CISO's team responds to incidents while the CISO oversees breaches and crises, and they do so while meeting budgets and adapting to enterprise change.
Information Security Service Delivery: Ensuring that service delivery and project timelines are met - while adhering to expected service quality standards.
Scaled Governance: Ensuring that stakeholders comply with policies and practices - and meet information security baselines. It's also about supporting employees in their independent risk decisions - based on what is crucial to their respective lines of business.
Enterprise Responsiveness: This is about aligning information security with enterprise-level decisions to support business objectives.
"CISOs play a crucial role in designing the future-looking cybersecurity strategy that provides a view on the emerging security threats and technologies to enhance preparedness and to provide opportunities to stay in touch with, and influence, business digital decision making," Gopal concluded.