Newsflash: +++ Hackers Stole Over 6.42 Million SHEIN Customers' Data +++ SAP Customer British Airways hacked: Hackers steal financial data in BA website attack +++ The same hacker group who breached Ticketmasters were behind the British Airways attack, using DIGITAL SKIMMING +++

Milky Blog

know what’s going on out there about SAP®

  • Blog
  • Read Our Rules

The CISO's role is changing for a few reasons

By Hendrik Jansen  - November 12, 2018

The role of the CISO is changing -- primarily driven by the executive management team

The role of the modern-day CISO is to provide the leadership and guidance necessary for an organization to manage the digital risks to the:

1. confidentiality, 2. integrity and 3. the availability of

the organization's data, access, intellectual property, and information technology assets.

The CISO's role is evolving from being focused primarily on the implementation and management of security control technology (firewall, IDS, AV solutions, etc.) to a consultative, business process aware and digital risk management professional.

The CISO's role is no longer the standard IT security technology solutions expert, executives require the CISO to become an enterprise risk management professional. This changed requirement demands a more risk-based approach, CISOs must adapt and embrace this and move away from a security controls focused approach to information security. That's not to say that security controls (and the associated tools) aren't necessary, because they are important. The main focus, however, needs to be on risk management. A critical component of implementing a successful risk-based approach is the building of strong relationships with the business units within an organization and approaching the business units in a consultative manner to offer assistance and guidance. Today's CISO's require analysis, consensus, influencing, and strong communication skills.

Visibility and awareness have changed the CISO role over the past two years.

As explained above, the role has changed from a more technical perspective to a risk management perspective. This change is a direct result (driven by the Exec teams) of an increased awareness that preventative security measures and controls will never be 100% effective. The increased media publications in information security breaches have been a tremendous help in raising the awareness, yet analysis of the latest EU statistics show it is not nearly enough. Stay tuned in the next blog for the EU factual analysis on Cyber (policy, risk, and exploits)

One consequence of the increased attention at the board-level to the information security impact to overall risk is that the "CxO" suite is more aware and focused on information security in many organizations. The board level interest requires that mentioned risk-based approach and CISOs are challenged.

What can a CISO do to cope with these changes and challenges?

- get a clear understanding of the RESPONSIBILITY and AUTHORITY, these have to go hand in hand (need to be really balanced), else the CISO becomes accountable without any measure or control to directly influence.

- get a forward-looking vision to manage the DIGITAL RISKS of an organization, understand the digital initiatives, the plans, the preliminary choices (simply think CLOUD, or IoT, or new apps introduced by the business)

- make a plan that describes the interaction and effects of the security ORGANIZATION, PROCESS, TOOLS, and PEOPLE. People remain the weakest link in security designing and thinking, always have, always will be.

- fully understanding the CURRENT RISKS involved in the IT architecture and the information it carries. Use a model of FREQUENCY, PROBABILITY, and IMPACT to QUANTIFIES the return on risk.

- determine the RISK PRIORITIES to close the gap (the COSTS of closing the GAP) between the status quo and where the organization must be in 12 months, 24 months, 36 months from now. Build a ROADMAP of security improvement items, initiatives.

- communicate in an executive team and board language as opposed to using information security and technology terms.

The agileSI™ SAP® security maturity assessment is specifically designed to help CISO's to build that ROADMAP, to use that RISK SCORE FRAMEWORK, be able to express the RETURN ON RISK to executive teams.



Contact us at and we will be happy to explain what the SAP SMA can do for you and your organization.

Picture©: GettyImages-847519080-metamorworks

Enroll and receive updates!

Popular posts

We take privacy seriously! This is what happens to your data:

  • Data from forms and website-tracking can be saved for analysis.
  • Data can be evaluated for optimizing the website. This enables us to better understand what our visitors are interested in. We primarily use Hubspot for this tracking. You can find more information on this in our privacy policy linked at the bottom.
  • We do not share your data with third parties. In the context of events in which you want to participate it might be necessary to submit your data to contractors.
  • You have the right to have your personal data corrected, deleted or transfered to you at any time.
  • You can withdraw your consent to any sort of communication with us at any time.

More details about what we do and don't do with your personal data can be found in our privacy policy, or you can directly contact me by e-mail!

Felix Möckel
Data Protection Officer