In 2014, Gregg Steinhafel, then CEO and President of Target, stepped down from the company after 35 years of service. He held himself accountable for a data breach that resulted in 40 million credit card numbers and 70 million phone numbers and addresses being stolen by hackers. He is not the only CEO to have resigned following a hacking incident; Amy Pascal was fired from Sony Pictures Entertainment under similar circumstances. She later joked she should have been fired sooner. Consequently, in 2018 Tech Republic published an article saying there would be more CEOs fired due to cybersecurity issues because such business executives do not involve security personnel hence are usually to blame for such attacks. Fortunately, businesses are embracing the need for security experts, and one of the people invited to the high table is the CISO (Chief Information Security Officer). So, what is a CISO, and what is the responsibility? Let’s tell you more.
Defining CISO and What They Do
BitSight describes a CISO as someone who wears many hats but whose job is to translate complex business problems into viable information security controls. The CISO is a senior executive and is usually involved in the detailed process of coming up with practical information security policies and programs. As a result, the CISO is also tasked with ensuring the laid down policies and procedures regarding information security within the organization are constantly updated to remain compliant with the standards and laws.
It is the job of a CISO to keep everyone in the organization informed of any updates, making the responsibility a continuous one. CISOs must stay ahead of hackers by learning tricks used and alert the employees and executives of what to do to prevent attacks. The continuous exercise involves educating every stakeholder of the information security protocols, deploying them, revising them, and overseeing them. CISOs can use whatever means necessary, including simulated attacks, to check on the organization’s preparedness so that they can fix any vulnerabilities. As such, as IT Pro highlights, CISOs are also responsible for creating an Emergency Response Team to address any cybersecurity attack once it happens. Also, a CISO should develop a Disaster Recovery Plan to ensure that the business will not be left stranded after the attack since hacking can cost businesses millions of dollars, especially when stolen data cannot be recovered. Since a CISO also understands the limited budgets that most organizations have, s/he must advocate for investments to be made towards security practices.
Attributes of a Good CISO
Security Intelligence explains that a good CISO should have the following traits:
Executive Presence and Leadership
Having an executive presence ensures that the CISO can stand his ground even when the other senior employees try to intimidate him. CISOs should have a seat on the board of directors’ table to communicate any concerns regarding information security because those are the people who make the decisions on behalf of the company. As a spokesperson for the information security department, the CISO must also know how to communicate to all stakeholders in an easily comprehensible manner. Some security experts opine that the CISO’s executive presence should enable him to report directly to the CEO, but since most CEOs have no clue regarding cybersecurity, being invited to the board of directors table is better.
Strategic Planning Skills
Since a CISO is tasked with developing Data Recovery Plans and creating and Emergency Response Teams, she must know where the vulnerabilities lie within the security system. To come up with viable plans and effective reams, they must look at all the angles that give hackers a loophole to lay their attacks hence the need for being a strategic thinker. The policies they implement must be in line with the organizational goals and compliance with regulatory standards. Besides, if she is not a permanent employee of the organization and is being outsourced, she must understand that the plan that worked in one company will not necessarily work in another.
Security and Business Knowledge
As West Monroe enlightens us, a good CISO must have adequate business and security knowledge. Business knowledge is essential in ensuring that the policies they create address all aspects of the business operations. CISOs who understand how a business runs will develop plans and risk assessment procedures covering all grounds to ensure that one action does not interrupt the rest. In terms of security knowledge, this must be learned from training. There are many courses that CISOs can undertake to equip themselves with the necessary information security skills. Even after getting the right qualifications, CISO must also stay updated on the changes occurring in the technological space because hackers keep changing their attack methods.
Becoming a CISO
Cyber Security Guide details the steps one needs to become a CISO.
According to the article, information security is not a career suited for everyone; therefore, you must do a self-awareness test to understand if you possess the desirable traits required for the profession. Such skills include strategic thinking, leadership, and a drive to stay updated on technological changes.
Most CISOs get absorbed in the profession after obtaining their bachelor’s degree in information security, computer science, or other related disciplines. An undergraduate degree will get you to the junior positions as an entry-level system analyst or computer specialist before you can climb your way to the top. Soft skills are also crucial, so business education will go a long way in ensuring you clinch that position. It is, therefore, no wonder that CISOs are also pursuing their MBAs.
Since staying updated is among the requirements for becoming a CISO, you must always be aware of any changes within the information security world. As hackers evolve their methods in launching attacks, you must always know what they are up to and devise effective plans to deter any possible attacks. Besides, as technology changes, so do the laws, and CISOs have to ensure that any programs they make comply with the regulations.