Why does your organization need a CISO?

By Crystal Silins, Senior Security Analyst

Most companies today employ a Chief Information Officer (CIO) or Chief Technology Officer (CTO), an executive responsible for all things IT for the organization. The CIO or CTO typically reports directly to the CEO, and educates executive management and employees on the business value and risk that IT systems hold for an enterprise.

With advanced, sophisticated vulnerabilities and malicious cyber attacks taking place every day, a business needs someone to focus solely on the security posture of the organization’s IT assets; not just ensure the assets are functioning. That’s where the Chief Security Officer (CSO) or Chief Information Security Officer (CISO) comes in.

According to a poll of 435 senior-level technology professionals done in December 2015 by CIO.com, only about 49 percent of respondents say their organizations employ a CSO/CISO who’s solely responsible for managing the risks to critical information. “The CISO’s job is to manage cyber risk, which in turn minimizes the risk of business disruption,” says Heather Engel, Sera-Brynn’s Chief Strategy Officer.

So, should every company have a CISO? The short answer is yes. Today’s standards, regulations, and threats are continuously and rapidly evolving with a greater potential for damage – it makes sense to have an individual focused solely on limiting cyber risk.

What should a company look for in a CISO?

Does your organization’s CIO/CTO have in depth knowledge of International Organization for Standardization (ISO), National Institute of Standards and Technology (NIST), and/or Control Objectives for Information and related Technology (COBIT)? Do they hold the Certified Information Systems Security Professional (CISSP) certification? Are they aware of what federal and state cyber mandates are in place that the organization must comply with? Perhaps. But ultimately, when it comes to your company’s sensitive employee or client data, it is best practice to employ a security specialist who has a wide range of knowledge in IT, industry security standards, protective approaches, and automated tools and techniques to protect enterprise infrastructure and availability of information. Additionally, a security specialist is able to mitigate ongoing risk, articulate it to the executive level and stakeholders, while also managing a team of cyber security professionals. In smaller organizations, the CISO domain may be a one- or two-person job, however in larger companies, this role becomes critical to managing a team to protect the organization’s credibility to protect sensitive data, while ensuring uninterrupted productivity.

Finding the right skill set for a CSO/CISO can be challenging for any size organization.

There are technical, communication, auditing, and sometimes legal skills required. A broad technical skillset is of utmost importance to offensive and defensive solutions across the organization ensure user functionality and are appropriate to the level of risk. The CSO/CISO must be able to communicate clearly and convincingly with the C-Suite and organizational stakeholders, to ensure top-down acceptance. The CSO/CISO must collaborate with users to promote a security posture that supports productivity.

As information security evolves, so do cyber laws/regulations.

It’s important for your CSO/CISO to be aware of what current laws/regulations the organization must abide by, while ensuring respective compliance. Additionally, your CSO/CISO may need to collaborate with the organization’s legal department or representative when an incident occurs to take the proper response steps and minimize damages. Audits are what determine the success or failure of any security strategy. The best CSO/CISOs know that the goal of a security audit is not just to pass but to also demonstrate proper and effective security strategies with a verifiable record of stopping threats. A self-assessment and/or risk assessment can also be crucial to the organization for improving security strategies and minimizing the organization’s vulnerabilities.

Today, managing the security posture of an organization is a full-time job.

Interpreting the industry standards, as well as industry/state/federal regulations can be daunting for a CIO/CTO. Having a CSO/CISO to translate existing control frameworks and regulations into customized controls that build comprehensive, in-depth defense countermeasures for the organization should be a top priority. And no one is immune to cyber attacks. A CSO/CISO plays a critical role in limiting the damage when dealing with a breach.

If your organization does not currently have a CSO/CISO, is looking for guidance, or is struggling to find the right candidate, Sera-Brynn’s Fractional CISO service may be a good option. For more information on Sera-Brynn’s FCISO service, contact Jeff Tyer, Sera-Brynn’s Business Development Director.