Does Your Organization Have a Chief Information Security Officer?

The infamous Target breach of 2014 underscored the significant hole that many organizations didn’t realize existed in their internal executive structure. When 70 million customers’ data had been breached, including 40 million credit cards stolen by hackers, Target’s CIO was forced to resign. Many companies have been breached since, and public reaction is swift and often brutal.

Unprepared C-suites might find themselves scrambling for a stopgap solution. That solution has come in the form of a C-level position devoted to digital security, something Target lacked in 2014: the chief information security officer, also referred to by some companies simply as the chief security officer.

‘C’ Changes

Many C-level positions have somewhat overlapping, generally complementary roles within an organization. The CTO and CIO have interlocking purposes for most companies. The former is an executive role that focuses mostly on core technologies, technology integration, and any supporting technologies within a specific area; the latter is well-versed in proprietary information and regulatory practices, and is often tasked with customer-facing representations.

The CISO is an emerging position designed to ease the burden of information security on either the CTO or, more typically, the CIO. With more information moving to the cloud, the Internet of Things growing at an exponential rate, and cyber-borne threats evolving on a daily basis, the CISO is indispensable for mitigating risk by monitoring and analyzing potential security concerns. Think of the CISO as the third leg of a stool with the CIO and CTO. All have a role to play in keeping an organization safe, competitive in the marketplace, and running efficiently.

The Duties of a Diligent CISO

At the foundation of protecting information security is the management and minimization of risk, which is one of the key responsibilities of the CISO. By providing a wide breadth of information and experience in protecting a company’s information and security infrastructure, they can put other executives’ minds at ease and save the company untold money by preventing work disruption, lawsuits, loss of consumer confidence, theft, and much more.

The CISO likely incorporates a set of security and prevention techniques to stay abreast of the current threat landscape and tools to keep company data safe. These techniques might include vulnerability assessments, white-hat hacking or penetration testing, security audits, application testing, and cloud risk assessments.

The CISO position is “about having a broad and deep perspective on risk, and how to enable the business while minimizing that risk,” Salo Fajer, CTO of Digital Guardian, a data loss prevention and security services provider, told CIO.

This touches upon Risk management, in this broad sense, can also be interpreted as a novel approach to enhancing a brand’s or company’s value.

CISOs will also spearhead, or at least oversee, initiatives for loss prevention, fraud prevention, business continuity planning, and privacy. Many also oversee communication with consultants and vendors, negotiations of contracts for those parties, and they establish company-wide specialized security efforts, including human resources, communications, legal, and facilities. They should also be involved in organizing effective cybersecurity training for all employees.

Though physical security and digital security have vastly different needs, more companies are preaching cooperation between these two entities for a holistic, results-oriented security strategy. The CISO should definitively monitor this collaboration and be sure it is doing what it can to boost digital security.

CISOs must work to assert themselves, gain the trust of their fellow C-suite members, and overcome an often-tricky political field to accomplish their security goals.

The Resume of a CISO

The work experience of a versatile CISO likely includes an IT/security background and possibly a degree in business. Many of them hold multiple certifications to bolster an already-impressive set of skills. Their unimpeachable confidence and knowledge of a company’s security system make them the go-to individual to discuss a breach privately and publicly, if and when one should occur, and they will a form an intentional, well-designed response involving multiple teams.

The best CISOs think creatively and adapt to an amorphous, often unpredictable collection of threats. Technically curious and vigorous CISOs quickly learn a company’s security systems and decide which security methods work best for an individual organization; the complacent CISO looks instead to ship out all important security decisions to third parties. Vendors, even industry-trusted ones, do not provide one-size-fits-all IT solutions, so a CISO should understand which vendors will apply best to the security network at hand.

A further duty of a CISO is to take complicated risk analyses, prevention scenarios, and incident responses and translate them for the benefit of the other C-suite executives. By communicating security in terms of business objectives, the CISO helps bridge a gap that previously existed in many organizations’ highest rungs.

The Exec You Didn’t Know You Needed

A late 2015 survey of organizations found that fewer than half of them employed a CISO, and more than two-thirds claimed that there is a global shortage of skilled cybersecurity specialists. The CISO role is new, so industries are course-correcting in order to account for this sudden need and the scarcity of available, talented CISOs.

Just as content hackers, data scientists, and even IoT specialists were titles that did not exist 10 years ago, the CISO is now an indispensable ally for an enterprise in the fight to keep data safely where it belongs. The ultimate task for a CISO is to continuously add business value to the company by sparing it the expense and fallout from a data breach. Doing this successfully can provide an advantage over other companies that do not have such a talented and vital individual on staff.

If your organization does not yet have a CISO, are you planning on hiring one? Tell us why or why not in the comments section.