The Role Of Chief Information Security Officer In An Organization

Through everyday encounters and experiences, we have learned to recognize influential titles in organizations. These titles sit in what is referred to as the “C-suite” and includes the Chief Executive Officer (CEO), Chief Operations Officer (COO), Chief Information Officer (CIO), and Chief Financial Officer (CFO). Those serving in these key roles have become the foundation of companies across the world and without them, many wouldn’t be as successful as they are today. Over the past five to ten years, the Chief Information Security Officer (CISO) has joined this elite group and has become a pivotal role inside organizations. There have been significant events that have helped evolve the role of the CISO and because of the way technology is now viewed, this is a role that will continue to evolve and grow as the years go by.

The majority of CISO’s have extensive educational backgrounds, Information Technology Certifications, and numerous years of experience. Even though most professionals have earned a bachelor’s degree, CISOs are more likely to have gone beyond the minimum qualifications and have a Master’s of Business Administration with a specialization in security and computer science. The most sought-after certifications for CISOs are Certified Information Security Manager (a management focused certification on international security practices), Offensive Security Certified Professional (a certification focuses on identifying vulnerabilities and attacks), and Certified Information Systems Security Professional (a certification to prepare, design, and built a cybersecurity program). Lastly, CISOs are required to have extensive hands-on and relevant experience. A minimum of eight years enforcing security, demonstrating strong oral and written communication skills, and implementing, formulating, and maintain security protocols are needed.

Depending on the organizational structure of a company and titles currently being used, CISO’s can also be referred to as security managers, security officers, and chief security architects. No matter their in-house title, CISO’s are in charge of creating and implementing procedures and policies that are designed to protect an organization’s systems from internal and external cyber threats. Cyber threats can include malware like viruses (small programs that get downloaded into a computer via an email attachment or URL), worms (programs that copy themselves from one source to another through the network), trojans (viruses that are disguised inside a legitimate document or URL), ransomware (viruses that look to exploit the target and locks their computer access until the target pays the ransom being asked for), and spyware (viruses that are downloaded and spy on your activity and report it back to an external source). CISO’s must be able to predict, prevent, and react to the aforementioned threats by using their technical knowledge and staying up to date on the latest malware and hacking initiatives that can potentially compromise their systems.

Additionally, CISOs need to have a great deal of interpersonal skills in order to train departments, across the company, on how to be digitally responsible. This training is important because it can mean the difference between being the target of a cyberattack and avoiding one. According to the 2018 Ponemon Institute CISO Survey of “What CISOs Worry About”, 70% of professional CISOs reported that the lack of competence in in-house staff, is their greatest threat worry. It might be very easy to blame human nature for being naive and falling for phishing scams, but it is the responsibility of CISOs to educate employees and give detail-oriented instructions as to what to do in the event that something goes wrong. For example, in order to combat this, CISO’s can implement internal policies that require employees to forward emails that look suspicious to the Information Technology unit. Subsequently, the Information Technology unit can run the email through various software and internal appliances that can run checks on the attachments or links. If determined that the email and its’ attachments are valid, it will be released back to the employee for use/review. Depending on organizational needs, there are various ways for the reporting structure of a CISO to be setup. It has been mentioned that currently over half of the CISO’s report directly to the CIO given that these are individuals that understand cybersecurity issues and can directly report to the board any concerns and/or advancements. A lot of financial serviced firms have implemented the reporting structure of the CISO to the Chief Risk Officer (CRO) and that is so the CRO can report on everyday organizational risks and not just financial risks. If a company is looking to invest a lot of capital on the development of security, organizations might consider having the CISO report to the CFO so they can make instant decisions on cybersecurity spending. Although there is no one-size-fits-all answer, it can be concluded that organizations are moving towards the ideology of having CISO’s report to or be part of the executive board.

In order to be an effective CISO not only does one need to have the technical skills and knowledge; but must hold certain attributes. Security Intelligence outlines these attributes as: Executive presence, planning skills, security knowledge, and communication. The first attribute deals with the CISO’s self-confidence, controlling nature, and ability to interact with strong-willed members, such as the CEO. Secondly, the CISO should be able to plan for both short and long-term goals by aligning all objectives to the company’s mission, setting priorities, and having clearly defined strategies. CISOs should strive for self-development and keep up to date on latest security advantages- especially since they are constantly being tasked with taking a stance and advising on information security issues/initiatives. Finally, it is crucial for a CISO to be able to communicate with their team and recognize that success is a team effort that requires cooperation. Although it is expected for all CISO’s to hold all of the aforementioned attributes, not all manage to have the full package of being visionaries, knowing when to be collaborative, listen, and when to command. If companies often run into this type of situation, when hiring a CISO, they should first look into prioritize the attributes that are important and vital to the company, and secondly developing a plan on how to make up for any shortcomings.

The role of the CISO has increased exponentially. No longer is this IT executive relegated to a back-office operation that is required to report to the CIO, but has now taken a seat at the table with the ‘C’ level executives. Part of the reason for the changing landscape for CISOs is because they now face a wide range of risks and responsibilities. Some examples of high-profile events that have shaped this new role are the data breaches at Target, Neiman Marcus, and Equifax.