Before we look at whether it’s right for your organisation to invest in hiring a Chief Information Security Officer (CISO) it’s important to understand what a CISO is and some of their core responsibilities.
The CISO is a board level role responsible for leadership relating to information and data security. A core tenet of the role being that they will be focused on establishing and maintaining the enterprise vision, strategy, and programme to ensure information assets and technologies are protected. As the range of threats faced by organisations has evolved, and with the complexity of responding to changing attack vectors and expanding regulatory requirements, the profile of the CISO is transitioning from technical to a broader business operator profile, in order to collaborate with colleagues across a wider range of business functions than before, and get cybersecurity onto the board agenda. This transition of their role profile in response to the threats and complexities of responding to such threats organisations now face has increased the range of responsibilities to cover:
Cyber risk intelligence – a dedicated focus on keeping up to date with developing threats and the methods via which you can best protect your business now and in the future, ensuring that you can continue to operate and grow
Access management – securing your systems and devices to reduce risks associated with the wrong people gain access to carry out an attack
Data loss prevention – ensuring that your staff don’t operate in a way that puts sensitive data at risk, or indeed that they are unable to misuse or steal this data
Incident response management – ensuring that a bespoke response plan is developed, rolled out & implemented to all relevant staff, kept alive with regular testing, and effectively led during a live incident
Compliance & Governance – being a voice for the overall security position of the organisation and making sure that relevant regulations, compliance demands, and protocols are understood and in place.
The above is not exhaustive and definitive, but hopefully that gives you some clearer idea of what the role and responsibilities look like, and how they have changed in recent times. Now, is this right for your business? Should you be hiring a top-level member of staff to help protect your organisation’s crown jewels?
There are many benefits to having a CISO in place, and this might be the right hire for your business, especially if you already have made real progress regards your cyber & information security position. The CISO will be able to:
- Demystify the subject of cyber security for the senior leaders/board
- Drive cyber/business risk alignment to facilitate keeping the business running
- Educate and advise the wider business on cyber risks
- Monitor compliance with policies/regulations
- Be a contact point for regulators/customers/partners
Without a CISO in place, all these responsibilities typically sit within an incumbent role where the person may not have the required skills or experience to really lead the topic, or in many cases will simply not be clearly defined as a part of anyone’s role. This can cause real issues when a cyber-attack occurs, or customers, investors or partners ask difficult questions.
However, this does not mean that you need to run to HR and start hiring for a CISO, there are a range of things to consider before you think about investing in this role. Some of the main points for consideration are:
- Retention/succession planning – it may be difficult to hold on to or replace someone with the right skills and experience for your specific business
- It can be difficult for business to scale/shrink the need for the CISO expertise in line with their growth, budgets, changing appetite for risk
- Over time their focus could become organisation specific, which may hamper wider/situational awareness around security
- There is significant cost to keeping a CISO trained/updated due to the dynamic nature of security threats
- The CISO is a senior role, so will require team members to carry out operational duties thus additional cost for hiring, retention and training
- An employed CISO may lack objective independence especially if the reporting line/chain of command is not appropriate
- Unfortunately, they may become a scapegoat if not staffed appropriately and do not have a dedicated security budget or due to under-investment in security
As reported by Intelligent CISO in December 2021, more than half of the UK businesses surveyed by Fastly, Inc. plan to hire a CISO within the next two years – now this could lead to a lot of hiring that is reactive and not well thought through, we all know that fear can lead to ill thought out action. Further, a common problem in the security industry is the hight turnover rate of CISOs. What is the turnover rate of security team in your organisation?
There is another option, and that is to partner with a cyber security professional services organisation like CyberScale and take advantage of their Virtual Chief Information Security Officer (vCISO) service. Watch this space for an upcoming article looking at why a vCISO might be the best step for you to take.
Do you know what is right for your organisation? CyberScale are on hand to provide an objective validation that your plan to bolster security resource within your organisation is right for now and the future.