Security is one of the fastest-evolving and most complex areas of information technology and a critical concern for companies in just about every industry. Threats to the security of data are increasing and organizations continue to struggle with the changing security landscape and regulations. Sadly, security incidents and data breaches are becoming common place in business today. Companies are realizing the need for a Chief Information Security Officer (CISO), responsible for security. It is also important to have an executive responsible for making security decisions and educating the management team on risks. Surprisingly, few companies have a dedicated CISO who is responsible for security within the organization. As a security consultant who’s worked with many organizations, below are the most common questions I have been asked when explaining the importance of a CISO.
The CISO advises the executive team on how the organization needs to meet security requirements to do business in their given industry. The CISO oversees a team that together has as a view of the risks facing the enterprise and puts in place the necessary security technologies and processes to minimize the risks to the organization. She is empowered to communicate risks to decisions makers and take action independently when necessary. She also advocates for investment and resources to ensure security practices are given appropriate attention.
The role grows in importance with every security breach, vulnerability, and incident that occurs. Security threats have been much more aggressive in the last few years and range from a hacktivist to criminal organizations.
A CISO would be tasked with the following objectives, but specific responsibilities would depend on the size and maturity of the organization.
In a perfect world, every company would have a CISO. The role of CISO has become critical to the operation of an organizations, regardless of industry and size. However, a small/medium sized business may not be able to justify a dedicated CISO. In those cases, it could make sense for the CIO to take on the responsibilities of a CISO and leverage external consultants to provide targeted guidance and expertise.
Organizations often find themselves using existing internal IT professionals who are focused on operations. They have little experience performing a risk assessment, and then implementing recommendations to solve complex business related issues. The CISO really needs to understand the business risk, not just the IT risk.
An effective information security program can only be achieved when a holistic approach is adopted. This approach should take into consideration the people, process, and technology of information security while adopting a risk-balanced, business-based approach. The success of an information security program has as much to do with people and process as it does with technology.
Having a security team that is responsible for the management and oversight of information security is crucial. And obtaining a strong CISO is one of the most important tasks in an overall strategy to effectively protect your business and critical data.