Report: growing CISO role poses risks for companies

The CISO role has quickly transformed from a mostly technology-focused role to one requiring a strategic business leader with duties affecting every aspect of the firm, but the report reveals a growing gap between organisational expectations of CISOs and the structures, skills and support required to meet them – including a lack of full buy-in from boards of directors.

This issue has taken on added importance following recent claims by AI company Anthropic that its new Claude Mythos model can perform some hacking and cybersecurity functions better than humans can do, raising new concerns over corporate cybersecurity.

“Boards often lack a shared language and basic cybersecurity knowledge,” says the report, entitled Beyond the Firewall, which was written by Simon in collaboration with global cybersecurity company ISTARI. “Tensions remain in many organisations around the CISOs’ mandate and voice at the top table.”

Targeted training needed on cyber governance

“Despite sitting in the same meetings, CISOs and directors may not be speaking the same language or measuring success by the same yardsticks,” adds the report, which draws on candid interviews (with strict anonymity) with CISOs, board directors, regulators and policymakers across multiple sectors and geographies. “There is a pressing need for targeted training and development to build cyber governance capability at all levels.”

Says Simon Learmount:

“The picture the report paints is unsettling. Boards have, almost universally, accepted that cybersecurity belongs on the agenda. Whether they know what to do with it once it arrives there is another matter.

“The most striking thing in the interviews done for the report was not how much the CISOs knew. It was how little of what they knew was reaching the people legally responsible for the consequences. That is a governance failure, and it is one boards have very little time left to fix.”

The picture it paints is unsettling. Boards have, almost universally, accepted that cybersecurity belongs on the agenda. Whether they know what to do with it once it arrives there is another matter.

As outlined in the report, ransomware and cyber-attacks have in the past year hit major companies like retailer Marks & Spencer, costing the company more than £300 million in lost profit and wiping £750 million from its market capitalisation, and carmaker Jaguar Land Rover, forcing a 5-week production shutdown and disrupting operations across 5,000 businesses in the automaker’s supply chain, with total economic damage of £1.9 billion.

Everything now lands on the desk of CISOs

Among the comments of CISOs who were interviewed for the report:

Hybrid working has brought added cyber risk

The report also highlights how workplace changes brought on by the COVID-19 (coronavirus) pandemic, including those linked to hybrid working, have been taken to another level by artificial intelligence:

Firms’ cyber security metrics and mechanisms are limited

The report also highlights:

• the misleading conflation of compliance frameworks with true cyber resilience, leading to narrow and misleading success metrics
• limited mechanisms to visualise and manage supply-chain risk across complex ecosystems
• growing regulatory fragmentation, forcing CISOs to juggle overlapping and sometimes conflicting compliance obligations

Cyber security is not a one-off exercise

The report underlines that firms need a continuous process, not a one-off exercise, to respond to the changes in the CISO’s role and the challenges and threats this poses.

“These findings position cybersecurity and digital governance as an urgent leadership priority,” the report concludes. “The takeaway is clear: cybersecurity and digital governance require urgent attention, sustained investment and a long-term commitment from leadership – a journey that must begin now to secure the organisation’s digital future.”