What is the role of the Chief Information Security Officer?
Businesses need to be thinking about information security as part of their overall strategy and incorporating it into their day to day decision making, not adding it as an afterthought. A Chief Information Security Officer, or CISO, can bring the skills, experience and dedicated resource needed for this challenge.
So what exactly does a CISO do? What benefits does a company get from appointing one? What skill sets should they be looking for?
The CISO role
Firstly its worth pointing out that there is no one definition of the role of a CISO. Companies, and individuals, approach the role in different ways. But there are certainly some key elements you can expect your CISO to take responsibility for.
Provide advice to the Board on cyber security
It is the Board’s responsibility to understand the risks of the business, to set risk appetite and prioritise resources accordingly. To do that they need good advice.
The CISO must understand what the company’s critical information assets are, and where they are held. They must understand the cyber security threats the company faces, both in nature and likelihood, and they must be able to articulate the consequences of a breach. With this information the Board is in a much better position to weigh cyber security issues alongside all the other business challenges it is seeking to balance.
Recommend internal security policies and raise employee awareness
Increasingly internal staff are becoming the biggest threat to information security, by being innocent victims of a phishing scam, by accidentally sending confidential information to the wrong person, or by malicious actions against their employer.
A CISO is responsible for promoting and encouraging security habits within the organisation to maintain appropriate standards for the information being handled. They can ensure employees receive awareness training, and understand the risks and consequences of their actions, both online and when handling physical copies of information. They are also responsible for technology and policy decisions to enable malicious insider threats to be mitigated.
Maintain a comprehensive security program
The CISO is responsible for ensuring that the company’s cyber security program operates at an appropriate level for the business, that it can detect and protect against existing threats, and be responsive to changes in the environment including adapting to emerging threats. They will be responsible for ensuring risks are identified and mitigated, and are likely to have significant input into the company wide risk management programme. They also maintain the organisation’s links with the local security industry and university research and education programmes.
Prepare an incident plan for a security breach
In the current environment it is risky, even naive, to assume that your business will never suffer a cyber security breach. A CISO should put in place and test an incident plan for use when a breach occurs, ensuring that the IT team are appropriately supported to recover any damaged systems and lost data, that the right people are kept informed, a public relations and legal plan is ready to be executed, the Board and executive team have the right information to make good decisions, and that, if needed, the approach taken maintains evidence for later use in court.
Lead a team of information security professionals and manage the security budget
In a larger organisation the CISO will normally be head of a department, with responsibility for hiring and development of information security professionals and for managing the security budget.
Critical skills for a good CISO
Communication is the number one skill required by a CISO, both receiving and transmitting.
A CISO must be able to listen carefully and understand detailed, and perhaps incomplete information presented to them. They have to maintain a network internally and externally to ensure that they are kept up to date on anything with a potential impact on the security of the business.
They need to provide information in a range of formats, suitable for the Board, the executive team, IT professionals, and the company’s wider employee base. They need to educate, to persuade and to negotiate.
CISO’s must be adaptable, particularly in today’s fast moving business environment. They may be presented with any number of business challenges, for example a merger or acquisition with an associated set of new risks, and it is certain that they will need to adapt to new ways of thinking about security and protecting their organisation as we see increasing mobile adoption, cloud based systems and emerging technologies impacting security.
The requirement for strong IT technical skills in a CISO varies greatly by organisation. In a smaller company the CISO may well be the only information security professional and may need to be very hands on in approach. Larger organisations can have significant teams supporting the CISO, and the technical skills requirements may be lower. However, if you are in the business of selling your own technology, your CISO needs to understand that product deeply.
Other much needed skills include:
- prioritisation of resources;
- ability to perform under pressure;
- understanding of law / regulation;
- people leadership;
A good CISO can be hard to find, given the need for a mix of business and communications skills with technical skills and hard to gain experience. One thing businesses can do is try not to ask for qualifications they don’t need. According to Digital Guardian research around half of the security leaders at Fortune 100 companies don’t have an IT or Computer Science degree, and 10% have no degree at all. Be specific about the qualifications your organisation needs.
Finally, while it won’t solve the immediate problem, organisations might also consider growing the next generation of CISO talent internally over time, with a career roadmap to help suitable candidates gain experience across the wider business while getting the technical skills they need.
Mandy Simpson is CEO at Wellington based consultancy firm Cyber Toa. She is a member of the New Zealand Institute of Directors and on the boards of Punakaiki Fund and NZTech. This article was first published at cybertoa.com
