CISO Transitions: Experience Alone is Not Enough

The responsibilities of chief information security officers have had to evolve significantly in the face of the changing technology landscape, and mounting internal and external challenges.

New insights are being offered for one of the technology sector's most challenging and faceted roles: the chief information security officer (CISO).  

Recent findings from Deloitte’s CISO Transition Lab, an immersive one-day workshop developed to help accelerate a CISO’s performance, highlighted some of the more pressing issues facing the key cybersecurity role. 

Funding limitations, more advanced cyberattacks and an inadequate governance and strategy are all barriers stacked against today’s CISOs, according to the consulting company.

Mike Wyatt, director with Deloitte Cyber Risk Services, said the responsibilities of information security officers have had to evolve significantly in both the private and public sectors in the face of the changing technology landscape, and mounting internal and external challenges. 

These changes and challenges were the premise for the Transition Lab, which Wyatt said was designed to help cybersecurity executives take on a job with notoriously high turnover rates.

On top of having to manage the information security needs of their organization, Wyatt said private and public CISOs are having to take a more active role when it comes to meeting stakeholders, managing expectations and balancing business initiatives.

“The CISO role is going through a lot of transformation at this point in time; we’re moving from an IT security to really a C-suite executive that is engaging and really managing of enterprise risks,” he said.

The need to gather input and rally for funding makes the security executives more of an “out in front” figure, often having to go before decision-makers and the public. The new facets of the position stand in stark contrast to the more technical, hands-on CISO role seen several years ago, according to Wyatt.

Deloitte reports that there are four main faces to the modern CISO: the strategist, the adviser, the guardian and the technologist.

While the adviser and strategist roles fall more toward innovation, cyber-risk strategy and integration with business functions, the company reports that many CISOs initially manage from the more reactive roles of the guardian and technician.

According to Deloitte, roughly 77 percent of CISOs spend their time as technologists and guardians, while the findings suggest they would prefer to spend closer to 35 percent of their time in these reactive roles.

While “firefighting” skills in an era of coordinated and seemingly unending cyberattacks is invaluable, Wyatt said the security executives need to prepare for the “when,” not the “if” as crisis managers.  

He said the current environment highlights, more so than ever before, the need for CISOs to handle large-scale security events, similar to those faced by emergency management teams in the aftermath of natural disasters.

“Something we coach our clients on is you will not have perfect security,” he said. “You could consume your whole [information technology] budget and still not have perfect security. Instead of risk elimination, there needs to be a view of risk management, and that requires a different mindset. It’s really tough for some security professionals to wrap their minds around the fact that you will have a security incident, and how you handle that incident really will determine the outcome on you personally and your organization.”

Tim Callahan, CISO with Aflac Insurance and Transition Lab participant, said the lab helped him to better formalize the goals he had for the company’s cybersecurity program while staying in touch with the unique company culture.

“The lab definitely help me form up how to identify and get buy-in from the various stakeholders, he said. “It really displays what we’ve been able to do at Aflac. Any program has to fit within the culture and character of the company or it’s not going to be successful.”

The CISO said the lab prompted the formation of the Information Security Oversight Committee, which is made up of non-technology leadership from throughout the company.

“… That way when we talk about security, we’re talking about it from that aspect of protecting the client, we’re talking about it from that aspect of what’s going to work well with the business," he said. "And then when we need to issue security policies, there always with that focus of how do we best serve our clients, how do we best serve the business."

In addition to the changing dynamics of the job from an approach standpoint, Callahan said the threats posed to private and public organizations are rapidly evolving. For Aflac, the sensitive data of customers is often a tempting target of would-be criminals.

Callahan also said that hacktivists, those who target organizations in support of a cause, and state actors and foreign countries looking for sensitive information, are also considerations for public and private entities alike.

Whereas a simple look at a suspicious email would have once alerted customers to a phishing scheme, Callahan said attempts to capture invaluable data are more sophisticated than ever before. He said criminals are getting more adept at social engineering as a means of gaining access to protected data. 

“It used to be that we could have an information security awareness campaign that talked about bad English and bad grammar and bad format and those kind of things from the phishers," he said. "Well, nowadays the phishing is very sophisticated and very hard to detect from those traditional things. Now we’re morphing our training into look at intent, question intent."

The prevalence of the Internet of Things is also posing new hurdles for security. Callahan said he has even seen a smart refrigerator used to attack a bank’s secure network.

“I see the attack surfaces and platforms changing and getting more sophisticated … as more things become connected to the Internet, that just gives another platform for attack,” he said. “I do think we need to be very cautious and careful of those kinds of things.”

Eyragon Eidam is the Web editor for Government Technology magazine, after previously serving as assistant news editor and covering such topics as legislation, social media and public safety. He can be reached at