Magda On Cyber
Published in

Magda On Cyber

Why does your Company Need a CISO ?

As our lives move increasingly online and more of our personal information is digitized, it becomes more important to protect that information from being accessed or stolen by cybercriminals. The same applies for businesses. They are moving all activities and operations online.

With so much of our information (Most valuable asset!!) now stored online, cybersecurity is more important than ever.

Cybersecurity is the practice of protecting our digital data from unauthorized access, damage, theft or loss amongst others. There are a few key reasons why cybersecurity is so important:

1. Cybersecurity protects our digital infrastructure and the data that is stored within it. This includes everything from sensitive personal information to critical national infrastructure. Without strong cyber defenses, companies, countries and individuals would be extremely vulnerable to cyberattacks.

2. Cybersecurity is essential for protecting our economies. With so much of our economy now dependent on digital systems, a cyber attack could have serious consequences with complete disruptions.

3.Cybersecurity enables us to maintain our privacy online.

Photo by Christina @ on Unsplash

Should your IT manager handle your cybersecurity?

With the news of high-profile data breaches making headlines on a regular basis, organizations are under pressure to improve their cybersecurity posture. As a result, information technology (IT) departments are increasingly being asked to take on a larger role in protecting company data.

However, your IT department might not be adequately equipped to handle cyber risk for your company.

There is a fundamental difference between cybersecurity and IT. Cybersecurity is the protection of systems and data from unauthorized access, use, disclosure, disruption, or destruction. IT is the management and use of information technology in order to support the business processes of an organization.

From a business risk perspective, IT is an important part of cybersecurity because it helps protect the confidentiality, integrity, and availability of an organization’s systems and data. Without proper cybersecurity protections in place, an organization can be at risk for a data breach or other cyber incident that could result in financial losses, negative publicity, loss of customer trust, regulatory fines, and more. However, cybersecurity controls go beyond IT controls, requiring further controls across people, and process.

Cybersecurity requires people, process, and technology to achieve efficient results.

Cybersecurity is not an IT problem because it’s not just about technology. It’s also about people and processes. For example, a phishing attack is not a technology problem; it’s a people problem. The best security technologies in the world can be defeated by a well- executed phishing attack.

Another example is the recent ransomware attacks that hit businesses all over the world. These attacks were not technology problems; they were process problems. The ransomware was able to infect thousands of computers because the victims’ employees had been unknowingly trained to do things that made them vulnerable to attack, or the IT team did not follow the proper process to update/patch the company’s systems.

That’s why cybersecurity is not just an IT problem; it’s a business problem. And it’s a problem that requires an important focus.

In fact, it’s one of the biggest business risks out there. Here’s why:

First of all, cyberattacks are becoming more and more common. Every day, we hear about new companies and organizations being attacked by hackers. This means that the chances of a company being targeted are increasing all the time.

Secondly, the costs of a successful cyberattack can be huge. If your data is stolen or your systems are taken down, you could lose a lot of money — and even put your whole business at risk.

Finally, even if you’re not directly attacked, you could still be affected by cybercrime. For example, if one of your suppliers is unable to continue providing your critical services.

One key way that can help improve a company’s cybersecurity is by appointing a Chief Information Security Officer (CISO). The CISO is responsible for developing and implement security strategies that protect an organization’s information assets from unauthorized access or theft. In addition to managing day-to-day security operations, the CISO also works closely with other executive leaders to ensure that security concerns are factored into business decisions.

Broadly speaking, the CISO is responsible for the company’s cybersecurity and not the IT.

What is the CISO’s role?

As mentioned, CISO stands for Chief Information Security Officer. They are responsible for the overall security posture of an organization. This includes developing and implementing security strategy, controls, and procedures. They also work with other executives to ensure that security is integrated into all business decisions. CISOs typically report to the CEO or CIO.

CISOs must have a deep understanding of both technology and business in order to be effective. They need to be able to communicate with both technical and non-technical staff in order to ensure that everyone understands the importance of security and is working together to implement it effectively.

The role of CISO is constantly evolving as new technologies emerge and new threats arise. But, the most important responsibility remains the company’s strategy and security roadmap.

A cybersecurity strategy for a given organization will vary depending on its specific needs and vulnerabilities. However, there are some key components that should be included in any effective cybersecurity strategy.

First, it is essential to have a clear understanding of what assets need to be protected and why they need protection. This includes not only physical assets like servers and computers, but also data and information stored on these systems. Another important part of any cybersecurity strategy is considering the risk appetite of the company, the cybersecurity budget and resources.

Lastly, the cybersecurity strategy should consider a balance between all three type of controls: People, process, and technology.

A CISO’s daily responsibilities vary, but may include the following:

  • Reviewing and assessing organizational cyber risk and exposures, across people, process, and technology.
  • Considering mitigation controls based on the company’s risk appetite.
  • Reporting on those risks to the board
  • Developing and enforcing security policies and procedures
  • Overseeing data security management programs
  • Overseeing cybersecurity controls deployment programs
  • Coordinating cyber incident response plans
  • Performing security audits, and addressing non-conformities

Follow me on Twitter:

How to find a good CISO?

Much like finding any good executive, the answer to how to find a good CISO begins with understanding what qualities make for a great leader in this domain. The three most important qualities for success as a CISO are:

  1. Being able to influence and align stakeholders
  2. Understanding business risk
  3. Delivering tangible results with efficient controls; from identification, protection, detection, response and recovery

CISOs who are most successful at their jobs are able to effectively communicate and collaborate with other executives in order to ensure that information security is seen as a business enabler rather than a roadblock.

The CISO is responsible for ensuring that the organization’s information security program is effective and aligns with the business goals of the organization. When it comes to developing and implementing it, a good CISO will ensure that all aspects of the organization’s security are taken into consideration. This includes both physical and cyber security (IT, OT, IoT), or all company’s attack surface.

In order to assess the effectiveness of a CISO, it is important to consider both their hard skills in managing and designing security programs, as well as their soft skills in communication and leadership.

Evaluating a CISO is not an easy task, and there are many factors to consider. One important factor is data breach history.

If a CISO has experience managing a data breach, that’s a good sign.

They likely have the experience and knowledge necessary to prevent future breaches, and manage responses when something happens, as it always will.

Remember: 100% security does not exist !

Another thing to consider is the CISO’s security program:

Does it seem robust and well-designed?

Are they regularly testing and updating their security procedures?

Lastly, you’ll want to make sure the CISO is communication effectively with other members of the organization. Do they keep everyone updated on new security threats? Do they provide clear instructions on how employees can protect themselves? By considering all of these factors, you should be able to get a good overview of the CISO’s evaluation.

How much does a CISO earn?

The average salary for a CISO in the United States is approximately $170,000. According to figures from, the average annual salary for a CISO in Singapore is around S$197,739 However, this figure can vary significantly depending on factors such as experience, skillset, and company size.

For example, a CISO with more than 20 years of experience can earn upwards of S$250,000 per year, while a CISO working for a small or mid-size company might earn around S$120,000-S$130,000 per year. For example, a CISO with more experience or working in a larger city may earn a higher salary than someone just starting out or working in a smaller town. In addition, some companies offer bonus structures and other benefits that can increase a CISO’s earnings potential.

Why shouldn’t a CISO report to the CTO?

There are a few reasons why a CISO should not report to the CTO. First, the CTO’s primary responsibility is typically to oversee and develop new technology, while the CISO’s primary responsibility is to protect the organization’s systems and data. Therefore, it may be difficult for the CTO to provide objective feedback or recommendations to the CISO on security-related matters.

Second, if there is a breach or vulnerability in the organization’s systems, it could be construed as a failure of the CTO’s department and lead to tension or conflict between the two roles.

Finally, given that their responsibilities are different, it can be difficult for those in reporting lines to have joint decision-making authority.

A CISO can help your company by implementing a cybersecurity plan, assessing risk, and developing policies.
-A CISO is also responsible for training employees on how to protect the company from cyber threats. -If you are looking for a way to improve your company’s security, hiring a CISO may be the answer.

By Magda Chelly

Chief Security Officer | TEDx Talk | Author & Keynote Speaker | IFSEC Global Top 20 Cybersecurity Influencer | Entrepreneur | PhD, S-CISO, CISSP, Cert SCI (General Insurance)

Find out on


Follow Magda on her Social Media Accounts:



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Cyberfeminist | Entrepreneur | Former CISO | PhD, CISSP, S-CISO | CoFounder @R3sp_Cyb3r | @womenoncyber | Documentary The Dark Web on @myCanal