When I first started covering data security in the 1990s, the relatively new CISO role was almost an entirely technical role. Even if CISOs didn’t do the work directly, they needed deep technical capabilities in networking and operating systems.
And the role was essentially filled by hiring from technical corporate technical positions, law enforcement or from technical roles within the military.
Rarely did these CISOs, except for the largest of organizations in critical industries, meet with the CEO, let alone their board of directors. Most commonly, at the time, the vast majority of CISOs or their equivalent reported to the CIO. There’s been quite a bit of change in the role of the CISO since then.
Today, the function of the CISO involves much more risk management and business leadership. It’s as much about helping executives and the c-suite understand risk as it is about bits. This has a profound impact on recruiting cybersecurity talent. Consider a new report from Kudelski Security, “Cyber Business Executive Research: Security Leadership Talent Gap,” which found new responsibilities for the modern CISO now include business leadership (23%), being an evangelist for the program (17%) and being the organization’s risk leader (17%).