A Look Inside the Evolving Roles of Top Security Executives

April 6, 2023 – The roles of the chief security officer and chief information security officer have evolved significantly over the decades and require these operators to be adept and agile  as they navigate a world of mass digitization and increased regularity of cyber attacks. Rife with tumultuous economic markets with proclivities toward uncertainty, information technology and online security is top of mind in 2023.

Roger Hale, chief security officer at Agora.io, sat down with two leaders of Daversa Partners’ cybersecurity practice, partners Jason Slattery and Joseph Patalano, to discuss privacy / security implications, ethical data use, and GTM strategies for implementing policy and procedure in varied markets around the world.

Constants, Changes, and Challenges

The cybersecurity industry has grown tremendously, specifically over the past several years. “As such, the leading roles in this field – the CISO and CSO – have inevitably shifted,” Daversa Partners said. According to Mr. Hale, the questions CSOs are looking at in their day-to-day have become just as business-related as they are technology-focused. “The role of the chief security officer is morphing from a raw technology role into one that requires expertise in business enablement and leadership,” he said.

Data protection and enablement are among the greatest challenges CSOs face. The role, formerly concerned solely with security, is now steeped in the importance of privacy, says Mr. Hale. With seemingly endless access to data, the question for companies becomes how to use obtained information as ethically as possible. The role of the CSO has become about understanding business concepts to ensure leaders across the C-suite make informed and ethical decisions; if a company lacks this imperative insight, Mr. Hale argues that a company inevitably loses its competitive advantage.

“From nation state actors to ransomware, technologists have become ever more concerned with not only protecting against external cyberattacks but more so the ability of internal actors to continue accessing necessary information despite attacks,” Daversa Partners said. “Not only is access to information at stake but so too is reputational impact and thus corporate responsibility – today’s companies move at the speed of light and potentially at the expense of privacy, bottom line, and brand.”

Insider threat is the second largest concern that CISOs and CSOs face. “Insider threat does not equate to malintent; in the economy of the past 24 to 36 months, employee and employer focus on productivity, business goals, and ROI have unknowingly taken precedence over data implication awareness,” Mr. Hale said. Ethical data enablement, he says, comes down to company culture and a mutual understanding of potential impact.

Communication is Key

Daversa Partners says that it’s commonly understood that CSOs don’t often get fired for a cybersecurity breach, but rather they are held accountable for how they respond to that breach. The way a CISO or CSO reacts to a data breach from both a communication and practitioner perspective boils down to transparency. “The way that companies experiencing breaches respond  – both internally and externally – impact their industry respect and reputation,” said Mr. Slattery. “From a reputational perspective, a breach is a communication opportunity for companies to convey trust and proactiveness to constituencies and stakeholders within the ecosystem.”

Mr. Hale uses the example of a credit card processing company based in the Midwest. Hacked multiple times over the course of just a few years, instead of allowing the breaches to run them out of business, the company pivoted its business model and initiated a new revenue stream of providing cybersecurity insurance having become unintentional experts in this arena.

Taking a Page Out of the Sales Books

Privacy and security implications become increasingly nuanced and complex as companies expand globally. Operating as a singular entity in the global economy requires respect of regional and local requirements, according to Daversa Partners. “A CISO or CSO can apply sales and go-to-market strategies to implementing policy, procedure, and privacy in varied markets around the world,” the firm said.

Mr. Hale stresses the importance of “not reinventing the wheel – sales executives have been doing this for years. If you have a global company with a global vision, you need regional subject matter experts to understand and educate from the ground up.” You only know what you know, and you don’t know what you don’t know. “In the case of security and privacy, every region and country has varied laws and regulations that must be followed,” Daversa Partners said. “It’s imperative to understand cultural nuances and determine a path to operating effectively in respect of different nations and governments.”

Related: Compensation for Cybersecurity Leaders is on the Rise

This underscores the notion that security conversations are business conversations, according to the Daversa Partners. “The technical implications are indicative that a CSO’s job is tied up in business enablement – the CSO is responsible for ensuring the business can operate with the least amount of friction in go-to-market areas to generate and propagate revenue,” the firm notes.

Heightened Demand for Cybersecurity Leaders Keeps Executive Recruiters Busy
Increasingly, organizations of all sizes are awakening to the perils posed by cyberattacks. For years, many groups tried to ignore the problem, dismissing cybersecurity as a concern only for the biggest, most high-profile entities, be they government or corporate. These days, more groups are coming to understand how ruinous such intrusions could be and cyberattacks show no signs of abating.

“The business side and the tech side of the house have collided more so now than ever, and it’s become essential for CSOs to take on increasing political and regulatory responsibility in globalized markets,” Mr. Patalano said.

In Practice: Security and Supply Chain

Daversa Partners notes that supply chain has become a growing concern for CSOs as they’ve become ingrained in the business process of interacting with vendors and third and fourth parties. Mr. Slattery maintains that “the supply-chain arena is the ultimate example of the security community – there are multiple vendors and companies intertwined with one another through underlying code,” the firm said. Log4j highlighted the community’s broad issues and detrimental security implications.

Related: Combatting Talent Shortages in the Booming Cybersecurity Market

Mr. Hale argues that the revelation of the Log4j vulnerability allowed the general public to understand that there are multiple layers to cybersecurity and that nothing can be patched overnight. “When creating software, engineers don’t write entirely new code every time; that’s not sustainable or efficient,” he said. “There’s different code leveraged from various areas that come together to create a platform and solution. In the case of Log4j, this demonstrated that remediation and implementation of secured and patched versions of tech in the supply chain are more complex than reading a CVE score and downloading and updating the patch.”

Log4j is the most recent example that has impacted the industry in terms of reputation, remediation, and credibility. According to Mr. Slattery, it was a “lion of a problem in the cybersecurity industry for software companies and CISOs who needed to determine the location of the bug and realize that since there are very few stand-alone top-to-bottom softwares in the stack, there is widespread impact.”

Log4j demonstrated that the expectations of fast-paced tech companies don’t always align with the realities of developing and implementing secure software. Mr. Patalano suggests that in high growth companies in current economic conditions, there are opportunities for gaps to occur when security executives meet with their boards, other members of the executive team, and customers.

In Mr. Hale’s experience, relationships between CISOs and their boards, their C-suite, and their customers matter greatly in effectively communicating needs and expectations. He suggests that progress can only occur when trust is preeminent. Early in his career he encountered a board chairman who asserted, “with more people and more money, we’ll be more secure.” Mr. Hale has determined that a more realistic assertion is that “with the right money, the right people, the right support, and the right timing, you can begin the process of becoming more secure. Often, data breach impacts are knee-jerk reactions to solve singular problems instead of holistically ascertaining the root cause that allowed the problem to exist in the first place.”

The CSO as a Team Player

An effective CSO or CISO has positive working relationships with its board of directors, the CFO, and the CEO of the company. In order to effectively communicate potential or existing risk, transparency is vital. As it pertains to the CFO and finance organization of a company, Mr. Hale notes that most security operators do not want to throw additional budget at security functions – IT and R&D are an entirely separate line item and doing so creates operational risk, loss of revenue, and unnecessary internal impact within the organization. In the past, InfoSec was a component and cost of IT, but that’s just not the case anymore. Every company is a security company with information and data impact.

Looking Ahead

The development of security over the next 20-plus years will inevitably face its fair share of challenges, according to Daversa Partners. “The current market indicates that there’s a high level of protectionism geopolitically that affects the cost of doing business,” the firm said. “In the current economic environment, companies are trying to do more with less.”

Another unforeseen risk, according to Mr. Hale, is in adequate company communication and education. “For example, in a five percent company-wide reduction in force (RIF), it’s important for executives to conduct an operational analysis to determine the threshold of what it takes to protect the company from both a financial and security perspective,” he said.

Mr. Slattery notes that “macroeconomic and geopolitical trends indicate that external forces are creating ongoing challenges for CSOs in business management, providing counsel, and impacting operational EBITDA-focused decisions. There’s an ongoing need to enhance risk management capabilities.”

“At the end of the day, there is a deeply human component to cybersecurity,” Daversa Partners said. “In the case of the conflict in Ukraine; there are ethical implications of seeing a regional hotspot and opting out of operating there. On the whole, the CSO and CISO roles have evolved into business-oriented functions that rely on transparency, communication, and collaboration amongst the C-suite to effectively and efficiently predict and manage risk.”

Related: How to Attract the Best Cybersecurity Talent

Contributed by Scott A. Scanlon, Editor-in-Chief; Dale M. Zupsansky, Managing Editor; and Stephen Sawicki, Managing Editor – Hunt Scanlon Media

Share This Article


Notify of
Inline Feedbacks
View all comments