The Chief Information Systems Officer (CISO) role has come a long way since its genesis in the mid-1990s, when pioneer Steve Katz became the world’s first CISO for the newly formed Citicorp/Citigroup following a critical data security breach.
Then, CISOs spent their tenures lobbying for greater budgets to commit to security, only for the executive leadership team – in the event of the inevitable cyber attack – to end up asking ‘What happened?’ and ‘Why/how did we not prevent it?’.
Thirty years later, as the global digital landscape accelerates at full speed into the future, more and more candidates are asking what it means to be a CISO and how to succeed in today’s business landscape. We took a closer look at the CISO role with a Division Director at Robert Half Singapore and specialised tech recruiter with more than a decade of experience, Suriani Norahim, and why it’s crucial they’re on the board of any organisation that reaches a level of complexity, risk exposure, or regulatory obligation that necessitates dedicated executive leadership.
Since the mid-90s, protecting companies against cyber-attacks has raced up the agenda. Security specialists have grown in stature from high-end technical consultants to critical executive leaders working across every facet of a business. In 2024, the role of a CISO is a pivotal one in any organisation dealing with large amount of data, or that is highly regulated or at risk of cyber attack.
“The role of a CISO today is expansive and demanding,” says Suriani. “Beyond shaping the company's security strategy, presenting to the board, and leading at the executive level, CISOs must also manage risk assessments, develop policies, ensure compliance, and oversee audits. Additionally, they're responsible for designing and maintaining the organisation's security architecture, as well as staying ahead of the curve by evaluating and implementing new technologies.
“With the average cost of a data breach in Singapore estimated to be S$3.23 million, today’s CISO must also be ever-ready to lead the response to incidents when they do occur.”
Though reporting structures will vary depending on a company’s size, industry, or hierarchy, the CISO typically reports to the CEO or another C-suite executive.
When reporting directly to the CEO, the CISO has direct access to the highest levels of decision-making within the business. Differing reporting lines tend to be reflective of the business’ strategic alignment of cybersecurity with operational, financial, or IT functions.
A common question, in addition to ‘How to be a CISO?’ is ‘Is a CISO higher than a Director?’. Suriani explains: “Generally, yes. Directors in various departments, such as IT, cybersecurity, operations etcetera, will report to senior executives, including the CISO, in an organisation where cybersecurity is a distinct function.
“Directors typically manage specific areas within their departments, such as cybersecurity operations, IT infrastructure, or risk management, under the guidance and strategic direction set by the CISO.”
Related: Why you shouldn't neglect business succession planning
Here are 5 reasons why it’s considered crucial to have a CISO on the board in Singapore:
“With a CISO representing security matters on a company’s board, they can directly communicate what is happening in the business to its ultimate decision-makers. Security matters can be highly technical and complex, often getting ‘lost in translation’ without an expert advocating for them on a permanent basis, so having a CISO on the board ensures dedicated attention and resources are allocated to protect the business,” says Suriani
The CISO also understands how fast the security landscape is changing and, of all board members, will be those most in tune with the evolving nature of the industry and the complexity of cyber threats. Internally, their impact is just as great; a CISO can share the latest insights with C-suite colleagues, enabling them to understand and appreciate risk in the context of the bigger picture.
Strategically, while a CISO is constantly monitoring systems, they are also developing policies, training plans, and updates. In the boardroom, they can help everyone take a proactive approach to security, because their vision will influence others. With a CISO on the board, a company is much more likely to improve its security posture before an attack takes place.
“Organisations with a substantial number of employees – typically 1,000 or more – and complex IT infrastructures require dedicated leadership for cybersecurity,” Suriani continues. “Likewise, companies operating in multiple countries face diverse regulatory requirements and a broader threat landscape, necessitating the strategic oversight a CISO brings to the table.”
Fast-growing companies that are scaling their operations, customer base, and/or technology infrastructure should also consider appointing a CISO to manage expanding cybersecurity risks. Or if a business is undergoing significant digital transformation, such as adopting cloud services or IoT, it’s critical to have a CISO on the board to ensure security is integrated into all new technologies and processes.
Related: 5 reasons why you should work in tech in Singapore
No rest for the CISO! The role is constantly evolving in response to emerging trends and technologies impacting cybersecurity, and aspiring CISOs should be committed to understanding how technology continues to impact cybersecurity.
For example:
AI and machine learning are being increasingly used in cybersecurity for threat detection, anomaly detection, and automated response capabilities.
Zero-trust security assumes that threats are both inside and outside the network and so processes and strategies are needed regardless of whether people are inside or outside the network perimeter.
With organisations increasingly adopting cloud services and migrating workloads to cloud environments (public, private, or hybrid), ensuring robust cloud security has become paramount.
The proliferation of IoT (Internet of Things) devices in workplaces and homes introduces new risks – especially with so many people working in hybrid roles or from home full-time – due to their often inadequate security measures and potential for exploitation in large-scale attacks.
Ransomware and cyber extortion attacks continue to evolve, with perpetrators increasingly using sophisticated tactics to encrypt critical data and demand ransom payments for decryption keys.
How to be a CISO today? A modern CISO is someone with deep technical expertise who can represent risk and security at a board level but who is adept at communicating with executives at every level. They are skilled leaders, influencing the strategic decisions of their C-suite colleagues and those using technology every day. Their role impacts everyone in a business; their specialist knowledge ultimately helps to protect against the potentially devasting personal (and commercial) impacts of a cyber-attack.
When considering how to be a CISO, a successful one will combine business acumen and technical skills. No longer the lone voice in the corner pressuring boards for greater budgets to protect a business and its greatest asset – its people, CISOs are a trusted adviser in the boardroom, influencing strategic decisions that integrate cybersecurity as a foundational component of business operations.
What qualifications do you need to be a CISO?
To become a CISO required qualifications often include a degree in computer science, IT, or a related field (eg law), coupled with certifications such as CISSP (Certified Information Systems Security Professional) or CISM (Certified Information Security Manager).
What skills are required to be a CISO?
To become a CISO, individuals typically need a blend of technical expertise, leadership skills, and business acumen. They’ll be effective communicators, strategic planners, and collaborators. Key skills include a deep understanding of cybersecurity principles, risk management, and compliance frameworks.
What is the career path of a CISO?
Many CISOs start in technical cybersecurity roles like network security engineer or security analyst. As they gain experience, they move into leadership positions like security manager or director. Eventually, with proven leadership skills and a deep understanding of information security and risk management, they may ascend to the CISO role.
What does a CISO do on a daily basis?
A CISO's day is about safeguarding the organisation's digital assets and ensuring its resilience in the face of ever-evolving cyber threats.
This is done by:
Strategic planning
Risk management
Team management
Incident response
Communication and collaboration