Heidrick & Struggles: Upending Tradition: Modeling Tomorrow’s Cybersecurity Organization
Start with a comprehensive approach to security
Matt Aiello & Scott Thompson, consultants from Heidrick & Struggles published new insights.
For a multitude of reasons, the role of the chief information security officer (CISO) has never been more important or more ubiquitous. The prevalence of distributed technologies such as cloud computing and the Internet of Things has created new opportunities to breach systems and access data—including in traditionally nontech industries that have never before been meaningfully exposed online. Increased regulatory scrutiny, such as the General Data Protection Regulation (GDPR), has added further nuance to a CISO’s duties. And continued rapid developments in technology and regulation portend even more complexity in the years to come.
As these complexities tend to be highly variable across industries and company sizes, so are the reach and responsibilities of the CISO. No single approach to structuring the role has crystallized. Furthermore, in most cases, it is highly unlikely that a single person could even manage every aspect of information security.
So how should corporate leaders begin defining a CISO role? First, they should carefully examine and understand their own current and future information security needs and threat landscape. Second, they should study CISO roles others have put in place to get a sense of what’s possible, including understanding the mix of skill sets and expertise among potential information security leaders. Third, they will need to create a role—or, more likely, roles—that meet the complex demands of the business and are capable of attracting the best talent.