Technology has undoubtedly changed the business world forever, and its pervasive influence cannot be ignored. Marc Othersen certainly agrees with that widely held sentiment as chief information security officer (CISO) at Hess Corporation, an oil, gas, and energy solutions company in New York. He knows that technology is a deeply integral part of how today’s businesses communicate, grow, and function as a whole. Such innovation enables companies, including Hess, to operate quicker and more efficiently than ever before. But with these benefits come new and unforeseen threats. Enter the CISO.
“The tremendous growth in focus of the CISO role really began about seven years ago, at the time when cybersecurity breaches were being discussed in the media,” Othersen says. The overarching responsibility: cyber risk. “We run cyber defensive programs. Today, it tends to be more operational,” he adds. Generally speaking, the position oversees operations, investigation work, response work, and all of the awareness and training functions related to cyber security.
Othersen is the perfect fit for the role of a CISO. With a technical background, he began his career as a coder, programming firewalls and servers. Later, he became a consultant for firms such as Ernst & Young and Deloitte, advising companies on what kind of cybersecurity is needed, and how to build, maintain, and operate it before becoming an industry analyst. This career path, he says, created the ideal skill set for the CISO position.
“I got to see multiple industries and multiple perspectives in regards to security, and what will work and won’t work while doing consulting,” Othersen says. “I became experienced in very high-level markets, technologies, and vendors as well as the motivations behind vendors as an analyst.”
Both business acumen and technological knowledge are necessary to properly do the job, says Othersen, who adds that it is a business-focused position first and a tech discipline second. A background in technology and cybersecurity form the foundation to know how everything works and how each mind-set integrates as a CISO.
“You need to be able to put your cyber risks in perspective to how a business functions, so that you can tell a compelling story in a context that your audience will understand,” Othersen says. “It is not different from any other executive position.”
At Hess, Othersen exemplifies what the CISO role entails and demonstrates its importance. From an operational perspective, he examines the metrics of the security programs to understand how well they are operating or if any hot spots indicate something he would need to adapt or strategically modify to execute the program.
“You need to be able to put your cyber risks in perspective to how a business functions, so that you can tell a compelling story in a context that your audience will understand.”
Another important function of the job is intelligence, which Othersen also performs at Hess. He examines daily intelligence briefings, which are provided by external sources. Then he utilizes that information to make any necessary modifications that will change the strategic direction of the program to cover any new threat that was previously nonexistent.
If threats become prominent, the CISO is responsible for communicating them at the executive level. “I need to create an executive awareness campaign on what is the topic, issue, risk, what are we doing about it, and put it out in some form, so that I can make the other executives aware of what is going on that could potentially impact us as a company,” he says, adding that there is the potential to have to communicate out every single day.
In the future, these crucial responsibilities will only continue to become more important. The way Othersen sees it, cybersecurity is tied to technology—and the adoption of technology by companies is speeding up. “All these things are so integrated and cybersecurity is so tech-centric that it is going to continue to get elevated to the point that it will just be a normal way to do business,” he says.
This momentum, he believes, will ultimately result in the integration of cybersecurity programs into other enterprise risk programs, mirroring their breadth of influence, corporate focus, and executive reporting requirements. In the same way as a chief financial officer advises on financial risk and a general counsel advises on legal risk, the chief information security officer will advise the enterprise on cyber risk.
Yet, Othersen welcomes change regardless of what the future holds. “My favorite thing about this career is that it’s not boring and it’s constantly changing,” he says. “There will always be something new.”