The Chief Information Security Officer (CISO) role is less than thirty years old. The first CISO was hired by Citigroup in 1994, following a series of cyberattacks. Other companies across industries, but especially those dealing with critical infrastructure, followed suit and began hiring their own CISOs. At that time and for the years following, the CISO’s main responsibility was to safeguard the company’s technology and ensure its security and protection against hackers and cyber-attacks. 

As hackers have grown bolder, smarter and more insipid, CISOs have had to evolve similarly, especially in the critical infrastructure field where any security breaches or disruption to operations can have far-reaching (and even deadly) consequences. The position has grown in scope and importance and today’s CISO is a key member of the c-suite. Let’s explore how and why this position has evolved. 

Moving Up to the C-Suite

While there was never any question of the critical nature of the CISO’s job, the first generation of those who filled this role in critical infrastructure organizations tended to be department-level managers, reporting to higher-ups at the senior management level. Their job scope was narrowly focused on identifying vulnerabilities in the company’s technological infrastructure and taking action to mitigate the risks of penetration by cyber criminals. 

Over time, there has been a marked change in the importance of the CISO’s position among critical infrastructure leadership. As cyberattacks on critical infrastructures are increasing, CEOs and other top managers are becoming more aware of the real threats posed by hackers and the true impact attacks can have on a company’s operations and bottom line. The increasing threat and resulting investments in cyber defense has solidified the importance of the CISO position within the management team. 

The move is further justified by the digital transformation that is taking place across industrial facilities, including critical infrastructure. The more “connected” critical infrastructure facilities are, the more vulnerable they become to attacks and the presence of a highly-qualified CISO is essential to the cybersecurity of the organization. 

Critical infrastructure CISOs now have more power to make sure that steps are taken to protect the security of critical systems, but with this power has come greater responsibility and therefore the need for a wider skill set.

From Technology to Operations

At first, the critical infrastructure CISO’s role was very similar to that of a Chief Information Officer (CIO). The role was almost completely IT-based and those hired for CISO roles came from engineering or other technology backgrounds. In order to protect a critical infrastructure company’s technology systems, it made sense for the CISO to have a solid understanding of how those systems work.

As the cyber landscape has evolved, it has become clear that IT knowledge is not enough for a CISO to succeed, especially in a critical infrastructure setting. The person who fills the CISO role must also be involved in and have a strong understanding of the business’ entire operational process. Connected OT systems and the expansion of new data streams is broadening the operational framework and making it more complicated. With data constantly being produced and flowing into and out of the critical infrastructure company’s systems in a variety of ways, the only way to adequately protect all of that data is to understand exactly where it is created, what it is used for, who has access to it, and more. 

It is only with this big picture knowledge that the CISO can effectively identify the existing vulnerabilities in the critical infrastructure organization and then work to address them. These vulnerabilities do not only exist within the standard technological infrastructure such as computers and routers, but also lie with who has access to the building itself, who is delivering equipment, etc. The security risks and vulnerabilities exist all across the organization, and the CISO is responsible for protection in its entirety. 

A Balancing Act

It is with deep knowledge of the inner workings of the company and how it aims to reach its goals, combined with technological know-how that best positions a CISO to develop and implement a security strategy that takes into account the unique needs of a critical infrastructure company. 

If today’s CISOs continued to operate as they did 30 years ago, businesses would suffer. Sure, they may be less likely to face a cyberattack, but if the protections put in place are so strict that they prevent the company from conducting its normal operations, then the hackers have still won because the business is unable to operate efficiently and consumers are unable to access critical services 

It is the job of the CISO to bring together the IT and OT departments and help them find the balance between business enablement and protection. The IT network is what allows employees to perform their daily tasks that involve using email services and other cloud-based apps and it also enforces security measures to avoid breaches. The OT network is what keeps operations running, but sometimes at the cost of neglecting security risks. Negotiating and balancing between the two is, perhaps, the biggest challenge that the CISO faces. It is his/her job to understand the unique security needs of a critical infrastructure company within the context of its operational processes and business goals, and build and implement a strategy to protect that security without compromising operations, all while mediating among and between employees at all levels in all departments. 

It’s a Tough Job, but Somebody’s Gotta Do It

Over the years, the CISO has become a prominent and central position in many companies, especially those dealing with critical infrastructure. As the person ultimately responsible for the security of the company’s greatest asset, the CISO certainly deserves a place among the top managers. S/he must be privy to the overall business strategy in order to strategize ways to keep the company’s data and infrastructure secure and safe from cyberattacks and other criminal activity without interrupting operations or impacting productivity and profitability.