HBS logo

The CISO Evolution

The Role of CISO graphic

The role of the Chief Information Security Officer (CISO) has changed dramatically in recent years. What was once a behind-the-scenes function focused on keeping systems safe has now evolved into a strategic position within organizations worldwide.

Today, CISOs are not just the gatekeepers of cybersecurity but are also crucial to business decisions, responsible for balancing security with innovation and growth. They’re expected to translate complex cyber risks into language the board can understand and play a direct role in protecting an organization’s bottom line.

In a recent panel discussion during the Secure Iowa Conference, industry experts explored the shifting responsibilities of CISOs, highlighting the challenges and opportunities that come with this evolving role.

  MODERATORSteve Heston

Steve Heston - Senior Solutions Consultant - Heartland Business Systems

Steve Heston is a career “growth guy,” having led companies and divisions of companies large and small, private and public to grow revenue, profits, market share and operating efficiencies. In his role as a Solutions Consultant for HBS, he works with to help a select group of Clients grow by establishing and executing Information Security and IT strategies and solutions. With experience across multiple industries ranging from consumer packaged goods to broadcasting to banking technology, Steve is a “Why First” leader who helps clients challenge the status quo as a means of creating positive impact on their businesses and the teams they employ.

  PANELISTRyan Cummings

Ryan Cummings  - Head of Security - Avenue One

An experienced senior leader with demonstrated business performance and a highly successful record of delivering complex systems across an enterprise, Ryan possesses extensive knowledge of information technology, cybersecurity, project management, contracting, and personnel management finance within the education, insurance, healthcare, and logistics industries.

  PANELISTShane Dwyer

Shane Dwyer - Chief Information Security Officer - State of Iowa

Shane Dwyer is the State of Iowa’s Chief Information Security Officer. He is the principal executive for state-wide Cyber Operations which include data-center services, hosting services, information security services, and networking services. Shane is active at national forums including serving as an Executive Committee member with the Multi-State Information Sharing and Analysis Center (MS-ISAC); Cybersecurity Policy Advisor with the National Governors Association; and a Cyber Advisor consulting with the National Association of State Chief Information Officers (NASCIO).

  PANELISTPaul Suarez

Paul Suarez - Vice President and Chief Information Security Officer - Casey's General Stores

As the Chief Information Security Officer at Casey's, Paul leads a cybersecurity team that secures the retail operations of a Fortune 400 company with over 2,600 stores and 43,000 team members. He has over 38 years of experience in cybersecurity, network operations, cyber operations, and telecommunications systems, spanning both the public and private sectors.

  PANELISTPatrick Wright

Patrick Wright - Chief Information Security and Privacy Officer - State of Nebraska

Patrick is the State of Nebraska's Chief Information Security and Privacy Officer and is responsible for overseeing data security and privacy for the state government. His position includes strategic cybersecurity vision, statewide cybersecurity initiatives, cybersecurity and privacy operations, incident response, compliance under federal requirements, Federal and State law, and industry standards. Patrick is an information security professional who has worked in both the public and private sectors and holds multiple industry certifications, with a bachelor's degree in information technology and a master's degree in public policy and administration.

Panel discussion has been edited for length and clarity.

CISO Evolution: From the Backroom to the Boardroom

Steve: How has the job of CISO evolved in the last five years?

Paul: Not a week goes by that everyone doesn't read about cybersecurity—it’s always in the news. Your fellow employees know about it, your board members know about it, your family knows about it.

Because of the prevalence of cybersecurity and cyber hacks that are in the media every single day—and let's face it, they affect companies like ours every day—technology is being forced into the hands of users who didn't used to have that technology. Cybersecurity was the realm of the geeks in the back doing that cyber thing. But nowadays, you're learning about, and having to answer questions from your users, about passwords, firewall, VPNs on phones, which data scraping tools should be used, etc.

Security is now in the hands of the consumers and our employees that we're supporting—the conversation is in our face, and can’t be avoided.

Ryan: From my perspective, we've become a lot more business-focused. We have to understand P&L sheets, we have to understand how the company makes money, how they drive revenue, how they go to market, and how our tools, our processes, and our people—that we work to educate and train to keep safe and secure—how all of that affects the overall bottom line.

Coming from a healthcare background, we've seen a big shift from security tooling around data and system security, to more of a focus on privacy.

Shane: I look at this question from the perspective of my overall career arc. I started as an operations manager in the U.S. Air Force and that helped me think about what does it mean for the business, and the day-to-day challenges they face. That allowed me to think about how I approach things like risk and risk management and business impact.

One of the things that I've learned over the past few years, is that it is not about the size of my budget. It's not about the number of people reporting to me. It's about the impact that I have on those business areas and how I make their jobs easier. And I think those things have really transformed. We’re not just the keepers of the firewalls and servers. We actually make a huge business impact.

I also think how we go through and identify real-world problems. How does the technology we oversee help out the Department of Public Safety? How can their day-to-day problems be made easier with technology? What happens with a law enforcement officer when their technology fails at 2 a.m. and they’re pursuing a suspect? It is necessary for us to understand the issues that arise and the problems our end-users face. Because if it is not easy to use the technology and security tools in place, they’re going to bypass them. We need to meet our end-users where they are at so we can work through those challenges together.

Steve: Patrick, you said something earlier that resonated with all of us—the CISO’s office shouldn’t be the place someone comes to hear “No.”

Patrick: We were initially focused on security technical controls, focusing on implementing this or that control, but we are now focused on being a business enabler. What we should all be asking now is, “How can we help you do your job and achieve your business objectives?” Accomplishing those in a safe and secure manner.

When we as CISOs can be embedded in the business processes early on, we can say, “Help us help you.” We can enable our organizations to achieve success in a secure way, leading to compliance, and really benefiting the organization as a whole.

CISO Roles in Budgeting

Steve: Let’s talk about transparency in the budgeting process. Patrick, you mentioned that from a public sector perspective it’s a longer budget cycle.

Patrick: In the state of Nebraska, we operate on a bi-annual (two year) budget cycle. That means I have to be projecting out what my resource allocation needs to be two years into the future. What am I going to need for resources, both personnel and tooling capabilities, two years down the line?

So I have to be able to set those services and those capabilities two years in advance when I can't tell you what the cyber landscape will look like in six minutes. It can be difficult to balance the direction we want to go, along with our budgeting modeling, our initiatives, what we believe our capacity will be, with the legal and legislative initiatives that are coming down the pipeline.

From a state perspective, it is very important for me to be able to predict these things and think strategically both in the short and long-term.

Steve: It's not just about the real cost when it comes to budgeting, but also how you factor in the potential costs.

Ryan: I think there is definitely a bit of an art to some of that, and when you are helping people who are responsible for the budget, and the people who are signing off on your personnel—whether it be contractors, new employees, the tools that you're going to use—you really have to understand how they think about the budgeting process.

As a CISO, you need to be able to integrate what you need into what the business needs and be able to explain it in easy-to-understand terms. You need to be able to explain that the landscape is changing, there’s going to be unknowns, and you’ll need to be able to work with other parts of the business to operate within the overall budgets and the constraints of your organization.

Building Stronger Partnerships: CISOs and Third-Party Collaboration

Steve: How has the role of vendors and partners changed, or how does it need to change for you to be successful in your role?

Paul: The ability of a vendor to work with us to provide more service without increasing the price, moves them from a vendor to a partner. I would ask everyone: work with your vendors, understand what they have, not just on their roadmap, but maybe some things that they're thinking about in the lab, and find out if there are ways that you could be a development partner, you could be an early adopter at a better rate.

The other thing to look at is platform vendors. Are there some vendors that you're working with that  can provide a lot more services to you off of that same platform. Instead of spreading out your needs among two or three vendors, is there value in consolidating and get more bang for your buck?

AI and the CISO: Navigating the Opportunities and Threats

Steve: If there’s any elephant in the room, its name is AI. How do we use it, and how do we protect against it?

Shane: How do we safely build a box for AI? We don’t necessarily care what it does in the box, but we do care that it is meeting certain expectations—is it using already established procurement standards? AI is no different than any other tool. It just has different functions.

We need to understand the business outcomes. What is our business actually trying to do, what problem is it trying to solve? If you’re automating things like an ambulance service, or you’re attempting to interpret or assess a law, there’s an actual business outcome that we’re trying to achieve—we must ensure that the end-user is not blindly trusting it.

You also need to figure out what AI means for intellectual property rights and discriminatory practices. Those are major challenges that the business community has to think about.

Finally, how do AI and security work together? What does it mean for innovation and privacy? How do you have qualified staffing for AI? We need to train, upskill, and reskill people that are working with AI, because otherwise we’re asking out people to work with something that haven’t been properly trained on, and in the world of security, that’s a dangerous path.

Paul: I would challenge anybody to prove that AI is a new threat from a cybersecurity perspective. You can build malware faster, you can send better phishing emails, you can chew through data a lot quicker to figure out how to hack. But you're still hacking in the same way as before.

You're looking at it from three perspectives.

  • How do I defend our use of AI?
  • How do we defend against hacker use of AI?
  • How do I use AI to better defend my organization?

Ryan: What AI has done for us—especially on the security side—it has allowed us to identify outlying patterns or outlying issues. We’ll load log files into an AI tool and generate some web application firewall rules. It's allowed us to shift the time period that we have, waiting to see if things are effective, to a much smaller window.

AI is something we need to embrace instead of immediately telling people “No, you can’t use it.” We need to educate our people on what is appropriate information and data to give to AI tools, and how to identify and avoid some of the AI pitfalls, like hallucination.

There are some really cool use cases with AI and as time goes on and as we figure out better use cases and better scenarios of how to leverage the tool much better, it's going to open up a lot of different possibilities and opportunities for all of us.

Patrick: There is a very low barrier of entry for these AI tools. You don’t have to be as technically savvy to enter the market anymore. You have tools that can do things for you—generate images, create content, and write malware. As we defend against these threats, the barrier for entry continues for bad actors continues to lower, and it’s making our job more challenging.

But at the same time, AI is also assisting our capacity to fight against these things. AI can be a force multiplier for our teams. AI will automate processes that are mundane and it will help us make our skilled cybersecurity practitioners and cyber operators more effective and more efficient in the threat landscape.

When you look at things that Shane and I are dealing with—like election security, for example—so much of the content out there is falsified and/or AI-generated. Content is being created faster than ever before thanks to AI.

Threat actor groups are starting to use some of these AI tools for the commoditization of malware. They have tools that are writing malware for them—ransomware as a service. All of these things are making our job as defenders more difficult.