The changing nature of the CISO’s role, along with the shifts in threats and risk management strategies, means that pinning down a CISO’s responsibilities is a virtual impossibility. “It’s an evolving situation, and every year a CISO’s role has to be kind of re-analyzed to figure out, okay, what do I need to do,” Dale “Dr. Z” Zabriskie, field CISO of Cohesity, tells CSO.
He adds, “We’ve gone through that time where the board or the CEO or the company points at the CISO and says, ‘It’s your job to protect us.’ We’ve moved away from that to where the best thing a CISO can do is to be connected at every level of the business to understand from each department leader and demand from that leader what data, what systems they are responsible for. Then the CISO can determine the best course of action based on acceptable risk.”
What this means to some experts is that CISOs need to feel their way around the organization before defining their jobs more concretely. “It’s the CISO’s responsibility to finalize their own job description, essentially, and set expectations based upon the risks and how that aligns with bits of strategy and the actual culture that exists,” Susan Chiang, CISO of Headway, tells CSO.
