What's the Future Path for CISOs?

A panel of former CISOs will lead the closing session of this week's RSA Conference to discuss challenges and opportunities.

Female CISO with tablet in operations center
Source: Kjetil Kolbjørnsrud via Alamy Stock Photo

Security professionals who rise through the corporate ranks and become chief information security officers (CISOs) often believe they have reached the pinnacle of their careers. But for some, the CISO role is a path to overseeing all of IT. 

Many CISOs mentored by Renee Guttmann-Stark aspire to advance to the chief information officer (CIO) or chief technology officer (CTO) role, for instance. Gutmann-Stark is among four former CISOs who will discuss the future of leading an enterprise security organization on Thursday during the closing session of this week's RSA Conference in San Francisco. 

In an interview before the session, entitled CISOs Unchained, Gutmann-Stark acknowledged that she never aspired to rise above CISO, indicating her preference for focusing on cybersecurity. "It is too exciting," she says. "I really didn't feel the need to explore doing anything else." 

However, Guttmann-Stark says she's seeing more CISOs taking on CTO roles, such as Jamil Farschi of Equifax. After six years as Equifax's CISO, Farschi was promoted to CTO last month. "There is an emerging trend in business: CISOs are expanding into technology," Farschi announced on LinkedIn

Farschi pointed to other CISOs who have also become CTOs, such as Brian Minick of First Third Bank and Craig Froelich at Bank of America. He noted that, like the CISO, CTOs are immersed in an entire business, manage risk, and can lead technical teams. 

Future of the CISO?

Despite some CISOs rising in the ranks, most face challenges says Guttmann-Stark, who is now principal of the advisory firm CisoHive. Before launching CisoHive, Guttmann-Stark held several CISO roles at companies such as Royal Caribbean, Time Warner, and Coca-Cola.

Among those challenges are ongoing job vacancies, challenges getting liability insurance, and the difficulty of purchasing all their core tools from one vendor. People also want to know how the CISO role will evolve and how to handle the barrage of attacks. 

During her 30 years in cybersecurity, Guttmann-Stark says she never experienced a major headline-grabbing attack or breach, although there were plenty of routine incidents. 

"The reality is that you always have something going on or some event," she says. "And I used to tell people that my job is to see if there's a fire in a garbage can and make sure it doesn't burn the building down."

The most notable incident that Guttmann-Stark can recall occurred when she was Coca-Cola's CISO, and a service desk person of a non-wholly owned division took home a laptop with data that wasn't fully encrypted. The company was compelled to have her organization check out all the laptops during the Christmas holiday. 

"We worked pretty much day and night going through these laptops to see if there was anything of interest there that would potentially need to be discussed outside the company," she recalls. 

Impact of AI

The most significant opportunity for CISOs today could be leading the deployment and governance of technology that automates tasks using artificial intelligence (AI).

"I believe there is a lot of merit to AI, especially having it work on things that are just so mind-numbingly boring, or where it can do repeatable tasks much faster than any one person can do," Guttmann-Stark says. 

She notes that she attended a recent conference where five CIOs on a panel discussed the importance of AI. "They basically said they wouldn't even entertain talking with a vendor unless that vendor was contemplating the use of AI within their solution," she says.

Similarly, CISOs she mentors ask where they can gain more proficiency in AI. Guttmann-Stark says she took two-day cyber-risk classes offered by the National Association of Corporate Directors. 

She says CISOs should be aware of what their boards know, especially given the new SEC data breach reporting rules

About the Author

Jeffrey Schwartz, Contributing Writer

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights