Being a Chief Information Security Officer (CISO) is not an easy task. FSP prides itself on bringing in highly experienced leadership practitioners, so we have seen it all when it comes to the CISO role. But what do we mean by saying a CISO needs to be the glue and not the hammer. Let us explain. 

We can start by searching for the ‘CISO definition’. If you have ever done this, you will realise there are a range of explanations to what the CISO responsibility and role is. Search results show business leaders to cultural leaders to technologists. It shows a mixed bag with very little alignment across industries. This is not much help if you are either an aspiring security leader or a business leader who knows they have got security issues and need someone to come in and get the problems fixed. 

At FSP we’ve seen every possible positioning of the CISO in varying organisations at different scales. Everything from the CISO being a full member of the C-suite with the associated risks and rewards to the CISO sitting at multiple levels under the C-suite, usually under a Chief Technical Officer (CTO), but still carrying the chief title. What we find interesting with the concept of C-suite is we have never met many celebrated CEOs that focus too much on the word chief in their job title. They are leaders, plain and simple.  

The Hammer 

FSP’s CISO’s and leaders talk to a lot of other CISOs, and they often come from 4 main areas, Governance Risk & Compliance (GRC), Security Operation Centre (SOC) related roles, Architecture/Engineering and of course, the ex-hacker. What we can conclude is there is no recognised path to becoming a CISO. Relative to other C-suite roles, the CISO is still relatively new, so maybe it’s no surprise. If a CISO has come through a more singular path, it is no surprise that as a security leader, they can tend to stick to what they know. Whether that is vendors, products or frameworks. This often leads to large scale transformations when a new CISO lands which can be a huge on-cost for organisations. We also see it leading to unrealised return on investments. There are not many security leaders who have been through any formal leadership training, which is usually essential in other roles in the C-suite. We have seen first-hand how good security leaders have struggled to take the team with them and not had the tools to get the most out of their employees. 

As a digital transformation specialist, FSP understands the pain this can cause to organisations of any size.   

The CISO remit 

To highlight two significant areas of responsibility for a CISO, FSP has recently done extensive research and development into the regulations around NIS 2 and created one of the few UK based CREST accredited SOC services (SOC72). 

NIS 2 is one of those frameworks where security leaders need to spend an incredible amount of time understanding not just the local regulations in the country they operate in, but also the regulations of the wider geosphere. The impact of these regulations on some industries are quite significant and can completely redefine the road map over the next three years. 

An effective SOC can make the difference between recovering from an attack and an attack causing significant material loss. If you are reading this as a business leader, do you know if all your security alerts and signals are being acted upon? With security teams coming at a premium to businesses, outsourcing is becoming more and more necessary. This isn’t a bad thing as it becomes a force multiplier for your business. However, for security leaders, this is a third-party relationship to manage and ensure the effectiveness of.   

The Glue  

As a security leader, you don’t have to be the one that knows everything, and you don’t have to have all the answers. In fact, the best leaders are the ones that understand that it doesn’t matter where the right answer comes from. It’s about creating an environment so the answer can be created. A good leader can play what is in front of them. Some situations call for someone to set the pace, other situations call for a more calm and empathetic approach. Good leaders should know how to act to get the best outcome out of a situation. 

Security leaders should not exempt themselves from following the basic requirements that make a great leader. They should know the what, the how, but more importantly the why of securities role in the business. Seek to understand, listen, know your strategy, your budgets and inspire those around you through holistic support. 

A white paper written by one of our Group Director’s, Richard Brinson, before FSP acquired Savanti in 2023, highlighted the issues around broken security leadership outside of the technology realm. Security leaders are often not from business focused backgrounds so their effectiveness within the C-suite is hard to measure and trust can quickly be lost.   

FSP is innovating the approach to security leadership. We understand that businesses don’t want to lose value; whether that be through reputational loss – leading to loss of customers, having to pay fines, or not being able to operate due to a cyber-attack. With the advancements in offensive tactics including the use of AI (we have to mention AI!), an attack on your organisation resulting in material loss can come from anywhere.   

FSP’s services, especially our Cyber Team as a Service (CTaaS), combines a group of experts from Security Leadership, GRC, Identity, Security Architecture, SOC and Attack and Defend. This gives us the flexibility to lead security initiatives, but also augment your business with experts in each field. We can also call upon our wider capabilities within FSP to multiply the value and effectiveness of what we can offer. 

Will we see the end of the CISO?  

In the short term no, we won’t. But the paradigm is starting to shift.   

Read this great article from Rachel Briggs OBE on Holistic Security. This article states that a staggering 92% of C-suite executives believe corporate security should be accountable or responsible for cyber security. This points towards a convergence between corporate security and cyber security, which makes a lot of sense. Getting this clarity on the remit of security within businesses will hopefully bring with it recognised frameworks that define career paths for security leaders and give them the full set of tools they need to help the business succeed. This will help both aspiring security leaders to gain wider knowledge to prepare them for the role ahead; and for business leaders who are hiring security leaders to know what good looks like for their organisation.   

This new alignment will hopefully allow security leaders to be the glue; and not the hammer.  

Contact FSP to find out more about how we can help you with your security requirements, specifically your Virtual CISO and Cyber Team as a Service