Information is the lifeblood of almost all businesses today. At the same time, not a week goes by without news of another big hack or security breach. The pressure on the security function is immense, and security professionals need a fine balance of skills to bring together risk, compliance, operations and technology in any large organization. Sadly, they rarely find time to grow their relationships and standing in the corporation.
The role of CISO is difficult yet crucial. Not all organizations appoint an executive CISO; many have a security director report into the CIO or else into risk and compliance functions. A dedicated CISO role is crucial, both politically and culturally, for it sends a strong message about the priorities and commitments of the business.
The role of CISO is relatively new and by no means is it a universal position. Managers attain the title CISO by following any number of career paths, typically starting in an IT environment, then acquiring specialist security certifications and/or on-the-job experience. Information security is managed in many different ways from one business to another. Some firms see it as a part of security generally; it is common among banks, for example, for the safekeeping of cash, branches, staff and IT to all come under the one executive. Other organizations have information security report into legal or risk functions, as they can see it as a corporate governance matter. And some prefer operations or IT to take responsibility for information security, especially if technology in the sector is volatile or complex. Regardless of reporting line, an effective CISO must have influence inside IT and inside the business units.
Whether a CISO comes with technical qualifications or has learned on the job, the classical CISO job description covers a basket of activities spanning network security, access management (for customers, staff and/or partners), standards compliance (particularly in regulated industries like banking, government and healthcare), policy development and implementation, internal IT audit, and sometimes privacy. The CISO’s position generally involves a lot of tech and a lot of compliance.
Organizations tend to utilize the security department in a purely defensive capacity. However, in the digital age, an organization’s internally and externally collected information are valuable data sources. Security Officers archive, protect, and maintain the quality of an organization’s information, putting them in a unique position to implement strategic, information-driven business initiatives.
The security department must evolve from “the department of no” to a business unit that utilizes a company’s information to create a strategic advantage and value to internal and external customers alike.
In a market characterized by rapidly changing technology and increasing global competitive forces, it's no secret that companies can no longer afford to rely on the feature-set of their products or services alone. After all, today's innovation is rapidly becoming tomorrow's industry standard, so organisations must ensure they create value from the information they have and forge intimate connections with their customers, colleagues, suppliers and partners in order to stay ahead of their competition. The need for joined-up thinking in business cannot therefore be underestimated. This is not just about improving the flow of information within a business; rather it needs to be about unlocking consistent value and meaning from that information and extending collaboration across an organisation's entire ecosystem in order to put the customer at the center of the business and achieve real customer intimacy.
As the global economy starts to show signs of recovery, businesses can afford to look beyond short term survival and start planning for the anticipated upturn. The long-term value that collaboration brings to an organisation more than outweighs its perceived cost - it will help forge stronger relationships and happier workers as well as translate into more efficient operations company-wide. Clear visibility of business-critical information, improved insight into business performance and customer value are the cornerstones of successful, profitable business in any sector. Making these changes today will not only improve competitiveness and provide the operational clarity required to maximize corporate performance, but will also prepare the organisation to exploit future economic growth.
Digital disruption is not a new phenomenon. But the opportunities and risks it presents shift over time. Competitive advantage flows to the businesses that see and act on those shifts first. We are entering the third, and most consequential, wave of digital disruption. It has profound implications not only for strategy but also for the structures of companies and industries. Business leaders need a new map to guide them.
In the first wave of the commercial Internet, the dot-com era, falling transaction costs altered the traditional trade-off between richness and reach: rich information could suddenly be communicated broadly and cheaply, forever changing how products are made and sold. Strategists had to make hard choices about which pieces of their businesses to protect and which to abandon, and they learned that they could repurpose some assets to attack previously unrelated businesses. Incumbent value chains could be “deconstructed” by competitors focused on narrow slivers of added value. Traditional notions of who competes against whom were upended—Microsoft gave away Encarta on CDs to promote sales of PCs and incidentally destroyed the business model of the venerable Encyclopædia Britannica.
In the second wave, Web 2.0, the important strategic insight was that economies of mass evaporated for many activities.1 Small became beautiful. It was the era of the "long tail" and of collaborative production on a massive scale. Minuscule enterprises and self-organizing communities of autonomous individuals surprised us by performing certain tasks better and more cheaply than large corporations. Hence Linux, hence Wikipedia. Because these communities could grow and collaborate without geographic constraint, major work was done at significantly lower cost and often zero price.
Smart strategists adopted and adapted to these new business architectures. IBM embraced Open Source to challenge Microsoft's position in server software; Apple and Google curated communities of app developers so that they could compete in mobile; SAP recruited thousands of app developers from among its users; Facebook transformed marketing by turning a billion “friends” into advertisers, merchandisers, and customers.
Now we are on the cusp of the third wave: hyper-scaling. Big — really big — is becoming beautiful. At the extreme — where competitive mass is beyond the reach of the individual business unit or company — hyper-scaling demands a bold, new architecture for businesses.
It is fashionable (and correct) to assert that business leaders need to worry about disruption. But disruption takes very specific forms, and these forms are shifting. The disruptive impact of deconstruction—like that of low-cost technologies—is now widely understood, but the challenge of the very small, less so. And the challenge of the very large, hardly at all. Put them together and you pass from the familiar world of value chains to the world of platforms, ecosystems, and stacks. The role of CISO is mission critical in a world of digital disruption.