Sunday, January 1, 2023

A New Cyber Trend For 2023: The Death Of The CIO & CISO

 


Happy New Year everybody!!  I wish that all of my friends and family out there, and people soon to be met have all of their dreams come true this year.  2022 was for sure a challenging one, and even for me personally.  Let’s hope that the world will be a better place this year, and that we can all live in peace and harmony together.

Well, back to work.  In yesterday’s blog, I wrote some of the top Cyber trends that are going to happen this year.  I concluded it with by simply saying nobody knows for sure if they will happen.  But in today’s blog, I want to make my own, big prediction for 2023. 

You may be asking what is it?  Well, it is literally the death of the CISO role.  Why do I say it?  Look at the world around us.  Everything is all digital, and the workforce is pretty much all remote. 

Even the talk of a Hybrid based work environment really has not taken off, as many workers will choose to WFH, brought on primarily by the COVID-19 pandemic.  Businesses are abandoning their once traditional brick and mortar locations, in favor of much renting out much cheaper virtual offices. 

Plus, given the uncertainty of the financial markets, the tech layoffs, and inflation, many companies are going to simply hold onto the cash on their balance sheets until things stabilize out some more.

So with all of this, the end of the CISO is now at hand, giving further rise to the role of the vCISO.  With the former, a lot of expense was paid out in hiring, salary, and offering lucrative benefits.  But with the latter, all of that is gone. 

You hire someone on a contract basis, for a fixed fee that is just a fraction of what it would take to hire a CISO full time for one year.  Of course, there are many other benefits of having a vCISO, such as scalability, access to greater resources, etc.

But now that this is going to the trend now this year, what will be expected of the vCISO?  Here are some clues:

1)     May or may not have control over:

When a vCISO comes into work for you, they typically don’t waste any time.  Usually all that they need is a few hours of orientation at most, and off they start working.  So, the question now comes:  What happens if there is indeed a security breach that happens under their watch?  Under the new laws, it is supposed to reported to federal or state authorities, within a short time, like 24-48 hours, and no longer than that.  If this is the case, then the chances of getting audited are even higher than normal.  Btu since a vCISO is a contracted employee, what should they do?  Should it be left to the other members of the C-Suite.  No matter what the situation might be, the vCISO is still viewed to be at the top of the chain of command when it comes to the security of the business with whom they are contracted to work with.  In other words, the buck literally stops with them.  So yes, in the end, it is still expected that the vCISO will report any breaches quickly.  But there will be pressure put upon him or her in the manner the breach should be reported.  For example, other members of the C-Suite may want to word the language in any communications in such as way that there will be minimal damage to the bottom line, and any loss to brand and reputation.  In the end, it may be even wiser to hire a PR company for relaying these kinds of communications, and even other types as well.

2)     Responding to a breach:

This is where the role of the Incident Response (IR), Disaster Recovery (DR), and Business Continuity (BC) plans will come into play.  But since the vCISO is once again a contracted employee, whose responsibility is it to make sure that these documents are created, tested, and enforced?  Once again, it will be that of the vCISO.  After all, that is why you hired him or her, so that your business will be able to respond quickly in case a disaster does happen.  Since most vCISOs are on a fixed contract basis, they will make sure that this is a priority and will get it done quickly.  They are not going to waste any time.  So now the question that comes into mind is if there is no vCISO, or they are in between contracts, who is the next person to take charge of all of this?  Well, naturally it would be the next in line, which is most likely the head or manager of the IT Security team.  This brings up another important point:  Your company will have to work out a line of succession in case there are periods of time in which you have no vCISO on hand.

3)     Working with the C-Suite and above:

Technically speaking, if the vCISO is hired on a 1099 basis, then all that he or she has to do is simply the job tasks that has been discussed and outlined specifically in their contract.  This means that they are totally immune to any company politics, or anything else like that.  Also, the only people that they need to interact with are the ones that the resources that will be required to get their job done.  But as we now forge ahead into 2023, this mindset is going shift drastically.  This means that the vCISO is going to have to step outside of the bounds of their contract, and try to establish relationships with the other members of the C-Suite as well as the Board of Directors.  Also, they will be expected to establish their lines of communications with them in such a way that it is understandable, free from techno jargon, but above, what the actions taken mean to the bottom line.  Also, it will be up to the vCISO to make sure that Cybersecurity remains a top issue with the others in the C-Suite and the Board as well.  Ultimately in the end, it will be once again the vCISO who will also be held responsible for maintaining a clear lines of communications with everybody in the company, in a top-down manner.  The bottom line is that you should be able to provide the answer to this question all the time:  “Why should I care”?

My Thoughts On This:

In the end, the vCISO is always going to be in the hot seat.  But the beauty about this role is that it can be terminated until you can find another replacement, in a rather quick fashion.  Heck, there are over 3,000 Cybersecurity companies, and I would say it would be safe to say that most of them to have some kind of vCISO services that you can make use of.

I also get asked the role of the CIO.  Truthfully speaking, this is pretty much a phased-out title now.  I have never really seen it being used any more, as the role of the vCISO has now taken root.

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...