Originally Posted at Enterprise Security Tech
This guest blog was contributed by Greg Sullivan, CIOSO Global
With the relentless continuation of devastating cyberattacks, the Chief Information Security Officer (CISO) has become one of the most critical positions in the C-suite. Due to the frequency, complexity, and impact that security incidents are having today, the CISO has become like an army general defending the homeland. And it’s not just protecting the data and systems at stake for the CISO; the person in this position now faces personal repercussions if found negligent when fulfilling their duties. The penalties for failing to carry out their responsibilities include fines and, possibly, jail time. The pressure on the position and the stakes have significantly increased.
As a result, the CISO must become a great leader of people, full of integrity, operate precisely, and provide thorough documentation of risk management efforts. Responsibilities have shifted so that the CISO is no longer just a technical expert — they must also be corporate leaders with the requisite top-tier qualities that come with a position of such exalted status. The skills they must have include knowing how to handle corporate politics and communicating complex cybersecurity risks to (non-technical) stakeholders, and they must also be able to align cybersecurity strategies with business objectives. This is a tall order for one person! On top of that, they must still achieve their security objectives by heading and maintaining a skilled, motivated, and resilient team. Good leadership skills must be added to their technical savvy for a CISO to keep a team focused in high-pressure situations.
The CISO must also handle disaster recovery efforts. IT teams traditionally carry out and are responsible for disaster recovery and business continuity. However, because attackers often attempt to exploit vulnerabilities during recovery periods, CISOs and their team now play a significant role in ensuring that recovery efforts are secure and that systems are brought back online safely. A coordinated approach between IT and cybersecurity teams is critical. A CISO must ensure that any efforts undertaken during the disaster recovery don’t inadvertently create new security risks.
Changing leaders after a significant cyber event might seem logical; however, it may not be the most effective thing to do. A major cyber-attack offers critical insights into the scope of cybersecurity challenges that an organization must face. The problem may not lie with the CISO — it could be found in those who set risk thresholds and budgets. The post-attack examination should assess the broader decision-making structure and risk tolerance levels. The problem could be there, and those who make those decisions should be held accountable.
To adapt to evolving challenges, CISOs must better their technical expertise and leadership abilities with continuous learning. Any technological advances, such as AI-driven threat detection, must be mastered, along with improved crisis communication and the ability to assess risks. And that’s a life-long process. Also critical is the ability to pass on this desire for growth within the team itself. CISOs must ensure that their teams want to learn so that they can stay ahead of rapidly evolving cyber threats. It’s not just themselves that they must educate; they must also increase the acumen of each member of their teams to be effective.
Greg Sullivan is the Founding Partner at CIOSO Global, LLC, specializing in cybersecurity and technology risk management. He advises clients on regulatory compliance and cybersecurity strategies, helping organizations design and implement risk-based cybersecurity capabilities. Previously, Greg served as Senior Vice President & Global Chief Information Officer at Carnival Corporation, leading global IT, innovation, and cybersecurity efforts. He also held leadership roles as CEO and CTO at Global Velocity, focusing on enterprise and cloud security. Greg holds a BS in Systems Science & Mathematics from Washington University in St. Louis and is a Certified Information Systems Security Professional (CISSP).
