CISO Voices: The evolving role of the CISO as a storyteller

Share with your network!

Jenny Radcliffe of Human Factor Security recently sat down with Lucia Milică Stacy, vice president and global resident chief information security officer (CISO) at Proofpoint, to discuss the current state of play in the cybersecurity industry. They covered everything from high-profile attacks and cybersecurity skill shortages to changing roles and diversity. 

Here’s just some of what Lucia had to say:

On the evolving role of the CISO

I feel very fortunate that my role allows me to sit on the other side of the table and talk to my peers about their day-to-day challenges. While each individual has their own battle to fight, in compiling the 2022 Voice of the CISO report, one common thread came through repeatedly. On the back of the COVID-19 pandemic, high-profile cyber attacks against household names and critical infrastructure, and a rise in hybrid working, it’s clear the role of the CISO is changing. 

These events and more have underscored the importance of our role and how critical it is to the ongoing success of our businesses. While the CISO function was once viewed as an IT issue, it is now a vital business function. We have had our “aha!” moment with boardrooms finally understanding that cyber risk is business risk.

CISOs aren’t seeing eye to eye with the board

Another common theme among CISOs is a struggle to stay on the same page as the rest of the board. The result is often a companywide disconnect between security awareness and preparedness. This ultimately comes down to a continued struggle to adequately communicate cyber risk. But as always, there are two sides to the story. 

On the one hand, while boards undoubtedly want to understand the risks facing their business, there remains a lack of cyber and technical skills at this level. So, we must continue to push cybersecurity oversight and knowledge into the boardroom. We’re already seeing this in places like Australia, where board-level cybersecurity expertise is now a common requirement. In the United States, the U.S. Securities and Exchange Commission has also proposed cyber rules, which are set to be finalized in April this year.

But that said, cybersecurity professionals need to play our part, too. We need to be able to tell the story and paint a compelling picture of the consequences of risk. That means ensuring that we speak business language rather than technical jargon. We must transition from talking in metrics and KPIs (key performance indicators) and instead link cyber risk more closely to the business narrative.

Closing skill gaps, dispelling myths and promoting diversity

We’re still seeing a substantial skill shortage in our industry, and as older leaders retire, this will only become more pronounced. 

While there was no specific cybersecurity position when today’s more experienced workers started out, it was part of everything we did. So, when the CISO and other related roles were created in recent years, we had people who could easily slot into the position. Equally, with cybersecurity now a much greater focus, we are bringing talented workers straight into entry-level cyber positions. 

However, the gap remains in the middle layer, with a lack of seasoned security managers or directors ready to enter senior leadership roles.

On top of this, there’s a diversity issue that continues into the next generation. I’m often told I don’t look like I work in cybersecurity, almost certainly because I’m not a young man in trainers and a hoodie.

We must address this image problem and create a clearer path for younger people of all genders, ethnicities and backgrounds. For many organizations, this likely means a complete rethink of diversity and inclusion programs to ensure we can seek out the very best talent, wherever it may be.

Want to hear more from CISOs?

Head to CISO Voices to listen to Lucia’s chat with Jenny in full and find further episodes.

Jenny’s Human Factor Security podcasts also feature further insights from cybersecurity experts. Look out for our next CISO Voices blog post to discover cybersecurity insights from Kate Mullin.

Proofpoint CISO Hub

Visit our CISO Hub to get regular updates on cybersecurity research, insights and resources specifically for the global CISO community.