The emerging role of the CISO

Against a background of board-level concern for cybersecurity, organizations are seeking to ensure the protection of their information assets and minimize the risk of a cybersecurity attack. These objectives place two particular demands on organizations: to appoint a suitable official to head up their information security operations, a CISO; and to ensure that the executive and board are appropriately informed of the organization's security status. In exploring the challenges that confront organizations in selecting a CISO, we drew on data from the U.S., Canada, and New Zealand. Two main issues were addressed. First, the organization has to be very clear on what it wants in terms of the job the CISO is expected to perform and the corresponding attributes that such an incumbent would need to possess. The CISO is a senior-level executive and rather than being a specialized technical expert, the CISO should be an excellent communicator. This will help address the second issue, which is how effectively the CISO can communicate with the board. Some suggestions are provided that serve to aid both effectiveness and efficiency. However, organizations need to embrace their concern about cybersecurity and build it into their selection criteria for board members.