The role of the chief information security officer (CISO) has never been more important to organizational success. The present and near-future for CISOs will be marked by breathtaking technical advances, particularly those associated with the inclusion of artificial intelligence technologies being integrated into business functions, as well as emergent legal and regulatory challenges. Continued advances in generative artificial intelligence (AI) will accelerate the proliferation of deepfakes designed to erode public trust in online information and public institutions. Furthermore, these challenges will be amplified by an unstable global theater in which nefarious actors and nation states chase opportunities to exploit any potential organizational weakness. Some forecasts have already characterized 2024 as a pressure cooker environment for CISOs. In such an environment, skills are critical. In this post I outline the top 10 skills that CISOs need for 2024 and beyond. These recommendations draw upon my experience as the director of the SEI’s CERT Division, as well as my service as the first federal chief information security officer of the United States, leading cyber operations at the U.S. Department of Homeland Security, and my lengthy military service as a communications and cyberspace operations officer.
- Master AI Before it Masters You—CISOs need to understand the power and potential of AI-enabled technologies well beyond the mechanics of how AI is constructed and operated. They need to understand the various types of AI platforms (for example, generative AI, explainable AI, narrow AI, and others) and how they can be employed by and against your organization. Understanding how AI-enabled technologies can enhance the organization and being able to identify both the risks and benefits will be an essential role of the CISO in the years to come. Further, contributing to the proper corporate governance and oversight processes for the incorporation of AI technologies into the business is critical. Establishing meaningful policies, procedures, and training regimes is necessary to protect and enhance the brand, reputation, and value of the organization. For example, defining guidelines for the use of generative AI by employees is vital to reduce the threat of unauthorized disclosure of sensitive corporate data. Finally, knowing who to contact for help on AI is critical. That’s one of the reasons why we created the AI Security and Incident Response Team (AISIRT) here at the SEI to help national security and critical infrastructure organizations make AI as safe, secure, assured, and trusted as possible.
- Improve Communication with the Board and C-Suite—Boards of directors and their various committees are increasingly calling on CISOs to provide in-person briefings and related materials. Based on my roles as a faculty member at Carnegie Mellon University’s Heinz College Chief Information Security Officer Certificate Program and NACD-certified corporate director, I believe many current and aspiring CISOs need to invest more time and effort to make the leap from technical expert to senior business executive. CISOs need to distill complex technical issues into crisp and meaningful discussions on risk and opportunity in a language the senior business leaders understand and appreciate. Overwhelming the board and C-suite with “techno-speak” or an avalanche of PowerPoint slides that don’t add value to the running of an effective, efficient, and secure organization erodes trust in the CISO and their organization, often resulting in the CISO being relegated to a smaller role than they ought to have on the corporate leadership team.
- Better Understand the Business of the Business—In 2024, many CISOs ought to invest in continuing professional education focused on better understanding the mechanics of the business world. I am often asked by current and aspiring CISOs what advanced academic degree I recommend they pursue. More often than not, I recommend they put a Master of Business Administration degree from a well-respected institution at the top of their list. CISOs and their teams must ensure they are on top of best practices in cybersecurity. Current and aspiring CISOs need to be on top of the language, processes, governance, regulations, and best practices in business as well to best serve their organizations.
- Manage Risk Using Advanced Metrics and Risk Quantification—Evidence trumps anecdotes. CISOs need to have timely, accurate, and meaningful metrics to best manage the cyber risk posture of the organization. With the complexity of the enterprise risk surface increasing due to widespread adoption of hybrid cloud computing, sometimes opaque supply chains, fragile legacy technologies, and rapid adoption of new technologies (such as AI), CISOs need the evidence-based data and well-defined and understood risk frameworks to identify, quantify, and manage risk in today’s hyperactive cyber ecosystem.
- Improve Understanding and Management of Supply Chain Risks—Understanding and characterizing cyber supply chain risk remains a frustrating discussion between boards and CISOs. In the absence of well-defined and verified software bill of materials (SBOM) information from manufacturers, CISOs are mired in a buyer beware state of affairs when it comes to commercially available software and hardware (noting that hardware includes the onboard firmware). Emerging threats include exploitation of material weaknesses in widely used UEFI software critical to the boot processes of modern devices. As the complexity of supply chains continues to grow, outsourcing to third-party partners becomes the norm; widespread reuse of software continues to complicate attribution of provenance; and a lack of tools to identify tampering, subterfuge, or sabotage leaves organizations open to compromise. CISOs likely will face increased challenges from their boards to identify and characterize supply chain risks.
- Master the Art of Negotiation—CISOs have often enjoyed a more liberal fiscal environment than their peers. Often, when the CISO advised senior executives, they needed to procure a capability to protect against specified cyber threats, and many were granted the funding to do so with little to no questioning or oversight. Consequently, many CISOs were able to pick and choose among their technology offerings with many exercising sole-source, non-competitive purchasing. Those days are evaporating quickly as more technically savvy boards and senior executives have risen to senior leadership positions and are challenging the CISOs to create compelling business cases and demonstrate return on investment to compete for limited corporate funding. As organizations become mature at incorporating cybersecurity into their business processes, CISOs will have to up their game in overseeing (and sometimes leading) negotiations for the best cybersecurity capabilities at the best price.
- Think Beyond Enterprise IT—Too many CISOs remain fixated on the enterprise IT network as their center of gravity and need to look at their key cyber terrain through the lens of the business. I’ve found that taking a data-centric view of the organization reveals that while operational technology (which includes industrial control systems, automated manufacturing platforms, sensors, and actuators) and RF mobile devices contribute to modern business operations, they also expand the potential cyber risk surface. CISOs who look beyond the enterprise IT network tend to find and mitigate their cyber Achilles heels before being faced with a crisis resulting from undefended key cyber terrain.
- Promote Collaboration and Information Sharing—The financial services sector is doing a great job in collaborating and sharing cyber threat information. I believe that CISOs in other critical infrastructure sectors would be well-served in emulating the mature processes pioneered in the financial services sector to enhance the security, strength, and resiliency of the sector. The energy sector has been following suit working with their financial services colleagues. I expect we’ll see more growth in collaboration and information sharing in other critical infrastructure sectors in 2024 and beyond.
- Practice Critical and Strategic Thinking—CISOs often are mired in the tactical day-to-day operational environment as emerging threats appear daily through threat intelligence reporting, media reporting, board inquiries, etc. Permitting oneself to focus solely on the tactical dilutes the strategic focus the CISO needs as a senior executive. As the CISO position becomes a more mature and accepted senior executive position, I expect more CISOs will invest in qualified staff to manage the day-to-day crises as well as in developing their own critical and strategic thinking skills, yielding a more focused and capable senior executive expertly contributing to the strategic planning essential for the success of the organization’s core business processes.
- Recapitalize for Competitive Advantage—CISOs often have a challenge in corporate budget deliberations recapitalizing their hardware and software tools. The recapitalization cadence varies by organization and is informed by factors such as budget, performance, threats, regulations, compliance concerns, and risk appetite. In 2024, I expect CISOs will continue to articulate the value of investing in the recapitalization of assets to maintain a competitive advantage in the marketplace. Most will use comparative data to demonstrate positioning within their peer group. The most mature CISO programs will likely include analysis of software, hardware, and wetware (i.e., human capital) as part of their recapitalization proposals with upskilling, retaining, or keep-it-current training being included in the discussion of the all-important human element of the digital business enterprise.
Looking Beyond 2024
In 2023, AI supplanted zero trust as the “buzzword du jour,” yet successful implementation of both is critically important to the success of CISOs in 2024 and beyond. Zero trust is a security strategy that will remain a centerpiece of security for the foreseeable future. With technology enabling all security programs, I anticipate that by the end of the decade, the CISO function will subsume all security functions with the CISO role evolving to the broader chief security officer (CSO) role, with responsibility over all security functions: cyber, physical, industrial, and personnel security programs. Also, I’ve long held that implementations of the zero trust security strategy ought to be data-centric rather than network-centric. Data is the fuel for AI systems and is greatly valued by those creating, training, enriching, and operating AI systems. Data has an intrinsic value because there are costs associated with the creation, storage, management, retrieval, protection, etc. of the data through its lifecycle. At the advent of 2024, we’re already seeing lawsuits seeking damages for unauthorized use of data sets by AI system providers. By the end of this decade, I anticipate we will see owned data being added as a quantified asset on the balance sheets of businesses with data valuation included under the Generally Accepted Accounting Principles (GAAP).
Yogi Berra supposedly said, “It’s tough to make predictions, especially about the future.” For the last 35 years, the CERT Division has discovered that it is not if an organization will have its systems compromised but when. In 2024 and beyond, CISOs need to continue to demonstrate competence in an array of technical, managerial, leadership, and communications skills to address the challenges of ensuring their organization thrives in today’s complex and dynamic globally connected environment. Because the future is uncertain, CERT-led research can help business executives and their teams cut through the fog of uncertainty by identifying best practices, evaluating emerging technologies, engineering novel solutions, providing focused training and education programs, and conducting cutting-edge applied research and development activities that help better enhance national security and national prosperity.
Additional Resources
To learn more about the SEI/CERT and our products and research activities, please visit our website at https://sei.cmu.edu.
View the SEI podcast Identifying and Preventing the Next SolarWinds with Greg Touhill – https://insights.sei.cmu.edu/library/identifying-and-preventing-the-next-solarwinds/.