The importance of a CISO

Security is one of the fastest-evolving and most complex areas of information technology and a critical concern for companies in just about every industry. Threats to the security of data are increasing and organizations continue to struggle with the changing security landscape and regulations. Sadly, security incidents and data breaches are becoming common place in business today. Companies are realizing the need for a Chief Information Security Officer (CISO), responsible for security.  It is also important to have an executive responsible for making security decisions and educating the management team on risks. Surprisingly, few companies have a dedicated CISO who is responsible for security within the organization. As a security consultant who’s worked with many organizations, below are the most common questions I have been asked when explaining the importance of a CISO.

What is the role of a CISO?

The CISO advises the executive team on how the organization needs to meet security requirements to do business in their given industry. The CISO oversees a team that together has as a view of the risks facing the enterprise and puts in place the necessary security technologies and processes to minimize the risks to the organization. She is empowered to communicate risks to decisions makers and take action independently when necessary. She also advocates for investment and resources to ensure security practices are given appropriate attention.

The role grows in importance with every security breach, vulnerability, and incident that occurs. Security threats have been much more aggressive in the last few years and range from a hacktivist to criminal organizations.

What attributes does a CISO need?

• Executive Presence: The CISO should have the executive presence to effectively represent the organization's position regarding information security and the ability to influence executives. They need to be able to identify and assess threats, and then translate the risks into language executives can understand
• Business Knowledge: The CISO needs to understand business operations and the critical data that organization is trying to protect. She needs to view business operations from a risk versus security perspective and implement controls to minimize risks and business disruptions.
• Security Knowledge: A CISO must be capable of understanding complex security configurations and reports from the technical perspective, and then be capable of translating the relevant technical details into language that other executives can understand.

What are the CISO's job responsibilities?

A CISO would be tasked with the following objectives, but specific responsibilities would depend on the size and maturity of the organization.

• Reporting & Executive Management Communication: Developing reports, presenting, and advising top executive management on all security matters.
• Risk Assessment: Perform a risk assessment to understand the overall vulnerability of any particular asset within the organization.
• Strategic Security Roadmap: Develop a roadmap and budget with sized, sequenced, and prioritized initiatives.
• Risk Management Program: Evaluate and advise on new security threats while maintaining a risk register and corrective actions plan.
• Regulatory Compliance & Audits: Document high level requirements for compliance and assure that strategic goals are implemented within a controlled, secure framework.
• Vendor Management: Manage and provide oversight of vendors and lead the associated due diligence.
• Policy & Procedure Management: Development and adherence to security policies and procedures.
• Asset Assessment: Classify assets based on their criticality and business value.
• Security Architecture: Review security architecture for new projects and applications.
• Awareness & Training: Maintain/update training and awareness plan and materials.
• Incident management: Manage, communicate, and coordinate a response to security event/incidents.

Do all organizations need a CISO?

In a perfect world, every company would have a CISO. The role of CISO has become critical to the operation of an organizations, regardless of industry and size. However, a small/medium sized business may not be able to justify a dedicated CISO. In those cases, it could make sense for the CIO to take on the responsibilities of a CISO and leverage external consultants to provide targeted guidance and expertise.

What are common pitfalls with hiring a CISO?

Organizations often find themselves using existing internal IT professionals who are focused on operations. They have little experience performing a risk assessment, and then implementing recommendations to solve complex business related issues.  The CISO really needs to understand the business risk, not just the IT risk.

An effective information security program can only be achieved when a holistic approach is adopted.  This approach should take into consideration the people, process, and technology of information security while adopting a risk-balanced, business-based approach. The success of an information security program has as much to do with people and process as it does with technology.

Having a security team that is responsible for the management and oversight of information security is crucial. And obtaining a strong CISO is one of the most important tasks in an overall strategy to effectively protect your business and critical data.