September - 20229GOVERNMENT CIO OUTLOOKsuggest and the most recent supply chain attacks demonstrate, any success in cyber security will evolve from an ongoing, dynamic, and clearly understood partnership between the public and private sectors. With the above in mind, here are some of critical areas that warrant consideration when defining the role of the Next Generation CISO:1. The CIO/CISO partnership needs to be maintained. In redefining CISO, we cannot devolve the role into that of an auditor of CIO activities. Although the CISO should have a seat at the boardroom table independent of the CIO, we cannot neglect that CISO day-to-day work involves IT. In other words, there will always be crossover between CIO and CISO organizations. We need to ensure that we do not engineer conflict by design. 2. The CISO role needs to be operationalized. Too often, CISO offices, especially in the public sector, are seen as policy and paperwork shops. In redefining the role, we need to ensure we include proactive security responsibilities, such as red and blue teaming, incident response, and cyber resilience. Security is more than a checkbox on a form, and we should say as much. 3. Ensure CISOs are accountable to leadership. Industry has figured this out already by making their cyber lead reportable to either the board or a board member. The public sector needs to follow suit. Senior leadership should be on first-name basis with their CISO, and CISOs should not be hampered by chains of command when it comes to discussing cyber security risks with decision makers. 4. Make security everyone's responsible. This means adding cyber security requirements to leadership performance plans at all levels and giving the CISO approval authority over those additions to ensure alignment with cyber goals and priorities. Accountability starts with executive leadership. 5. Next Generation CISO responsibilities need to be codified in law and policy. We need to define CISO areas of responsibility (AOR) that ensure a clear understanding of cyber authority and that have applicability and meaning between the private and public sectors. However, AORs cannot be static administrative markers because such constructs tend to lose meaning and value over time. Rather, the Next Generation CISOs should be practitioners of agile security concepts and principles, needing to remain flexible and responsive to changes in the threat landscape as well as shifts in technology. Given this, the role needs to be defined while remaining adaptable to change.John F. Kennedy said, "Change is the law of life and those who look only to the past or present are certain to miss the future." President Kennedy's warning is certainly applicable here. Now is the time for transformative change before the cyber industry is forced to do so under more direr circumstances--another SolarWinds or Log4j incident. Creating a Next Generation of cyber security leaders that bridges the gap between public and private sectors benefits all. The chief information security officer (CISO) is the executive directly responsible for cyber security. This is true of the federal government and increasingly so for the private sector.
< Page 8 | Page 10 >