The Modern CISO: Balancing Business Acumen with Cyber Expertise

Has the continually evolving role of the CISO increased the complexity of managing cybersecurity? For Angel Redoble, Chairman and Founding President of the Philippine Institute of Cyber Security Professionals (PICSPro), the answer is a resounding no. 

It has, however, added to an “already long” job scope that the modern CISO must attend to. Speaking to GovWare, he ticked off four key pillars of cybersecurity today: Governance, risk, operations, and internal audit. And the issue isn’t so much the complexity than having the resources to address the ever-growing asks expected of the CISO.
 

The right CISO for the job

Of course, everything starts with hiring the right person. Redoble stressed the importance of CISOs with an intimate understanding of the key cybersecurity areas, lest organisations end up inadvertently exposed to cyber attackers.

This is especially the case now that organisations are aware of the importance of cybersecurity. According to Redoble, a CISO who might have some deficiencies in their know-how or who is overtly focused on any one area might offer skewed advice.

“If the CISO you hired is [fixated on] risk, then he will always talk risk management. If the guy you hired is into governance, then he will say, ‘We need more governance.’ But if the CISO you hired is [focused on] operations, he will say ‘Buy this, buy that, deploy this, deploy that.’”

In other words, if all you have is a hammer, every problem will look like a nail.

But hiring multiple CISOs and putting them in the same room isn’t feasible either. This route will either lead to personality clashes or in the words of Redoble, “There will be no meeting of minds.”

Organisations should instead appoint CISOs who understand the various aspects of cyber in charge – and ensure that they are adequately supported with a strong team of experts versed in the various pillars of cybersecurity.
 

Balancing cyber with business realities

In our conversation, Redoble highlighted an aspect of the CISO’s role that is not often discussed – their business acumen. He puts it this way: “Your role as a CISO is to make sure that you protect and secure the sustainable growth of the revenue, by making sure that cyberattacks [don’t succeed].”

Invariably, this requires a strong awareness of both the cyber and business side of things, including the aptitude to achieve the right balance.

“Otherwise, you might be disapproving projects that will have an impact on the projected revenue. Or you might be approving projects that boost revenue, but which inadvertently open an attack vector that ends up compromising the organisation,” he explained.

It’s also worth noting that the typical CISO has a finite budget which tends to fluctuate with commercial performance.

“For a profit-oriented organisation, the budget is always dependent on the performance of the organisation. We cannot ask for an unrealistic budget; the company must first consider its performance,” he noted.

While dips in budgets can be made up through future investments, Redoble lamented the growing cost of cybersecurity solutions, even as cyber threats are getting more pervasive, and the repercussions of a breach get more dire.

“[Cybersecurity systems are] not getting cheaper. But threat actors are getting better. This discrepancy is a big problem because the defenders are dependent on the availability of the budget. That's another reason why we are having a growing problem in cybersecurity.”
 

The weight of accountability

Should CISOs be made accountable for cybersecurity breaches? That depends.

“A CISO cannot take accountability if they are not empowered to improve the cybersecurity posture of the company. That's crazy!” exclaimed Redoble.

In his view, it would be unfair for regulators to penalise CISOs who have made reasonable efforts to improve their organisation’s cybersecurity posture: “Accountability needs to be a partner of authority. Because if you are not in control, how can you accept accountability? You must have that authority to implement, and continuously improve the cybersecurity posture. Only then can [a CISO] take accountability.”

“Regulators always ask: What did you do before the breach? If you did nothing, then you are negligent. But if you did what needed to be done and tried to address the risk, then you were not negligent. You tried to anticipate this cyberattack.”

On a more sombre note, Redoble noted his taking on his current group CISO role is by default an acceptance of accountability.

He suggested one way that the regulatory landscape could be improved: By ensuring that CISOs are legally empowered to garner the resources they need to implement, improve, protect, and secure their organisation.
 

A noble role

Is there anything we can do, given regular reports of the inordinate stresses CISOs experience and the high risk of burnout in the industry?

To this, Redoble turned introspective. “There are a lot of moving parts,” he observed. “We used to complain that the Board don’t understand the importance of cybersecurity. But that’s no longer the case.”

Redoble acknowledged that fair compensation would go a long way to keep the CISO going by alleviating worries about providing for their families. However, he did not attempt to sugarcoat the situation.

“You must accept that this job is difficult. If you just want to be a CISO because of the monetary rewards or [some glamorous stories] that you heard from someone, then that's not a good motivation to be one.”

“It is important to make sure that your family understand and support you all the way. For me, I gave up a lot of important events with my kids because of the job. You need to be emotionally and mentally ready.”

“Mind you, our enemies are no longer just college hackers or petty criminals. We have state actors attacking us; we now have highly organised cyber attackers with an established supply chain that are coming at us daily.”

“We are very serious in doing our job because it's a very noble job. There are no other jobs – other than the police and the military perhaps – that are about securing and protecting the community. As a CISO, we secure cyberspace,” he said.