The Modern CISO and the True Impact of AI

The opportunity from Generative AI is far greater, yet far less obvious, than what almost all of the pundits are raving about.

It is captain obvious territory to talk about productivity increases by automating repetitive, tedious work, audit and accounting processes, many of our cybersecurity hygiene chores we don’t do now anyway, 3D modeling, predictive and preventive maintenance, customer service, knowledge management and summarizing data.

But the biggest impact will come instead from allowing a long overdue re-alignment of duties and reporting relationships among CISOs, CIOs and the CEO.

Why?

Generative AI True Impact

Because tomorrow’s CIO will be able to move away from complex, enterprise software packages that are designed around the business world in the 1970s and replace that with a deep relationship with GAI, that can write code on demand to produce a general ledger and balance sheet from data stored in 5 files, and make sure it can skate through an audit sniff test, or list all open payables older than 60 days and tee them up for payment based upon the material and contract schedule found in 2 separate databases, or age all open receivables past 45 days related to the projects under contract XYZ another 30 days, or add these 4 people to payroll – get their PII from HR DB’s.

No need for Oracle, SAP, JDE, Great Plains or any of the other myriad sink holes that require deep knowledge, high prices, and expensive, skilled, and hard to find resources.

Which does what?

It frees up the CIO to focus on what s/he needs desperately to focus on in the computing environment of 2023, and that is infrastructure, hybrid cloud services, configuration vulnerabilities, patches and open exploits, container configurations, network complexity, edge computing, SASE/SSE, advanced, NextGen firewalls, zero trust principles, micro-segmentation, APIs, app security, DevSecOps, transitive exposures and poisoned code in code repos, identity authentication and authorization policy, and on and on.

Infrastructure is Singular Negligence

And that is because all of the infrastructure issues including those above are way too complex for the modern CISO and need to be divided among those most capable of managing and addressing those issues, the CIO and the folks who know most about cybersecurity, the CISO. We don’t need CISOs proofing Kubernetes configurations or cloud server permissions any more than we need CIOs weighing in on IRP development or cyber insurance.

As my colleague, Geetha Nandikotkur, the Vice President-Conferences, Asia, Middle East and Africa, writes, “Cyberspace is a new terrain for conflict that has not been well-mapped, unlike the military war zone. Just as ancient cartographers were hampered by their belief that the earth was flat, cybersecurity is hindered by inaccurate beliefs about adversaries, risks and the operational promises of GAI. Many of the core concepts that shape our understanding of cybersecurity deserve rethinking.

Security professionals today are establishing the fact that they are not merely gatekeepers of data and systems, but also key enablers of business growth and a beacon of change, demonstrating inclusive leadership skills that drive innovation and strategic thinking.”

Let’s Get Smarter.

If boards were smarter, they would have a CISO on the board and have the CIO report to the CISO – the IT environment has been reduced to complex infrastructure and caretaking, and it does not require the business skill set it once did. A CIOs’ number one focus should be in preserving cybersecurity defense, governance, compliance, education and provisioning a clean and efficient and well-hardened data center complex in which key information assets can live in safety and peace.

In this new world, today’s CIO should become a cloud, container and network expert whose primary concern is vulnerabilities, threats and exploitations (organizational and operational). S/he is the guy who must configure super-clean cloud instances, container access privileges and identity policy, and who must decide how much of the network moves to a SASE/SSE model, and where the hybrid cloud instances reside.

Education is critical for growth in cybersecurity and the CIO should own the initiative for the whole organization. What we used to think of as core or fundamental coursework, is now critical for ALL employees and everyone has to step up and own more of the puzzle. The modern CIO must set forth the guidelines on which specific topics and courses the enterprise needs at varying levels, and the Board should understand that without education, the enterprise is as weak and vulnerable to future change as our public school system, now ranking 24th globally in math and science, while our adversaries occupy the number 1 slot, globally.

Strategy and Future Growth

The new CISO role should move away from infrastructure and threats and toward strategy – as in how much risk do we accept and how much do we transfer and what we can learn from nation state and geo-political activity, what we need to do to comply with GAI regs, liability and fiduciary care duties, how much exposure we have in copyright and IP, and big decisions like how much longer we stick with Microsoft if at all and what alternatives are available.

The CIO performance metrics should be OKRs and KPIs centered in uptime, availability and accessibility while the CISO should be driven by MPIs around vulnerabilities, process, competency, prevention, protection and defense posture.

Today’s CEO is in the business of keeping the enterprise de-risked and safe from intrusion, infestation and infection. He needs two partners in that plot. One to maintain a great processing environment and one to maintain a safe space for key corporate assets.

The technology and business systems components of these jobs have always been too broad for just one person and this re-alignment can’t get here fast enough.