The role of the CISO

Pubished 15th February 2019

Cybersecurity is a growing disruption for business leaders. Estimated figures suggest that half of UK organisations have been victims of cybercrime within the last two years, resulting in losses of over £720,000 per business. Despite these alarming stats, 25% of UK businesses still fail to have a cybersecurity programme in place. Those that do, have often employed the services of a Chief Information Security Officer (CISO), with the responsibility of ensuring enterprise information assets and technologies are adequately protected.

The role of the CISO has become a crucial component for organisations in this day and age, in large part due to the spate of threats firms now face. As a result businesses are competing fiercely with one another to attract the best CISO talent to their organisation. The outcome for CISOs is a lucrative increase in salary by 20% year-on-year as firms continue to entice these skilled individuals.

Although the duties of CISOs differ by sector, size of a firm and how the business is regulated (as cybersecurity is often structured and tailored to each specific organisation), there are some common responsibilities. None is more paramount than the main overarching objective of a CISO which is to ensure enterprises are safe from cyberattacks. The mandate to safeguard the digital gates is crucial and thus elevated above any other task a CISO may undertake. There are however some further objectives a CISO would be expected to implement and manage.

There is no better protection for an enterprise than identifying incoming threats and controlling them before any damage can occur to the business. CISOs can implement tools across an organisation to detect and announce any incoming dangers.

CISOs should form part of the wider cybersecurity community by reporting these threats internally and externally. By monitoring and reporting experiences and knowledge with the global security community, CISOs can act as security ambassadors who alleviate the weight of fellow CISOs, by delivering advanced warnings on existing and future threats.

With the General Data Protection Regulation (GDPR) now in full swing, there is even increased pressure on organisations to ensure all data follows best security practices and falls in line with the new legislation. The CISO is paramount to this, becoming the key link between an organisations IT department and the information setup process. One report even states 79% of CICO’s believe GDPR is the most important topic in their role.

Click the image to expand

CISO’s on the majority of occasions are responsible for the budgetary decisions regarding cybersecurity spend. However, within some businesses the CFO is still solely accountable for security finances. As CFO’s do not always have the in-depth security knowledge a CISO possesses, company funding may not be sufficient. Organisations therefore structured in this manner may not be equipped effectively to tackle a cyber-breach within the business.

CISO’s, whilst accounting for the majority of security facets within a business, need to ensure their considerations include an emphasis on risk management. For example, ISO 27001 is the international standard for security systems and recommends the requirements for an Information Security Management System (ISMS). This system is pivotal for effective risk management, using a set of regulated processes which incorporate both people and technology to guard and manage any sensitive material. As CISO’s interact heavily with the risk function of a business, a CISO’s role could therefore eventually evolve into either a Chief Risk Officer (CRO) or Chief Security Officer (CSO).

Many organisations look to hire CISO’s with a strong technical background. This can be both positive and negative. It is positive as CISO’s can engage in low-level conversations with teams and staff members that sit in the 1st line of defence structure of a business. However, as a consequence this could divert a CISO from driving security roadmaps and delivering strategy into the board.

Although technical knowledge and skills are fundamental components for a CISO, this forms only part of what is required, as one PwC report states, “Cyber risk is more than an information technology issue; it’s a business issue.”

It is often stated 90% of the world’s data has been generated over the last two years. Whilst this explosion of connectivity presents a number of fresh avenues for organisations to explore, it also provides an abundance of new data to be targeted by cybercriminals. In response, CISOs need to take a more strategic leadership role.

With this in mind, CISOs are required to hold operational and management skills to augment their technical proficiency. As CISOs are included within the C-suite, CISOs are accountable for decision making regarding security whilst also bridging the gap between technical aspects and the organisational effect this has.

Soft skills are therefore integral to the success of a CISO, who must manage a variety of projects, teams and ensure stakeholders are kept up to date. It is, therefore, no surprise that 18% of CISOs held a managerial role previous to their move into cybersecurity.

It is still estimated the global cybersecurity workforce will have more than 1.5 million unfilled positions by 2020. Although the CISO is considered a newer addition to the C-suite, as attacks continue to present themselves more commonly, hiring an experienced CISO has never been more crucial to strengthening an organisations strategy to protect the confidentiality, integrity and accessibility of its data.