Should you have a Chief Information Security Officer in 2017?

‌‌

In today’s Internet of Everything world, we’re more connected than ever before—which means more opportunity for security threats and data breaches. To raise awareness about the importance of security, we’ll be celebrating National Cyber Security Awareness Month (NCSAM) by sharing security-focused content all month. Each Monday in October, we’ll share a new security blog post from our experts. Enjoy!

Join the conversation on Twitter with #NCSAM and #CyberAware.

-----

Yahoo. Target. DropBox. Home Depot. LinkedIn. Even the U.S. Federal Government.

What do all these organizations have in common? Unless you’ve been living off the grid for sometime, the answer is they’ve fallen victim to massive security breaches. It seems hardly a week goes by without another revelation of a massive security breach that puts millions (sometimes hundreds of millions) of customers’ private data into the hands of cybercriminals.

And the breaches above? Those are just the high profile breaches that made the news. Every day, hackers gain access to private data at dozens of smaller companies and organizations, putting customers and business operations at risk. We almost never hear about those. 

To get ahead of this serious risk, security-conscious organizations often appoint a Chief Information Security Officer (CISO) to lead the vision and strategy for security and risk management. The role typically includes responsibility for technology, compliance, data security and privacy. Depending on the organization, they may also be involved in some infrastructure, architecture and physical security efforts. Now, this may sound like a synonym for other C-level positions, but it’s not. Here’s how a CISO is different. 

Chief Information Security Officer—isn’t this just another name for the CTO or CIO?

While some smaller organizations combine both roles into one, more and more enterprises are splitting the roles as they realize the responsibilities of each job are fundamentally different, and sometimes conflict. While chief technology and information officers are responsible for delivering technical products, the security officer’s role extends beyond the IT team an understanding of how, where and why a company collects, accesses or stores data, online or off.

By separating IT and security, your CISO can focus on the elements of  cyber security such as: potential attack vectors on your systems, apps and places; information privacy; regulatory compliance; risk management; technology controls; security architecture; and identity and access management. And IT can deliver on technical product initiatives that power the business. Hiring someone to focus on security exclusively, instead of just another part of their job, is a smart move that helps mitigate potential conflicts of interests and provides the opportunity to make security improvements a constant priority.

Why companies are hiring CISOs now

The role of the Chief Information Security Officer is relatively new (dating back to the mid 90s). However, data proliferation, an always connected world and the rise of new threats have forced companies that create and save data to get serious about security.

A few years ago, organizations would have put these responsibilities under the Chief Information Officer or in the IT department. Yet, as the importance of data security has grown, many companies have responded by hiring a CISO who is independent of a CIO, CTO or IT leadership. Elevating this position to the C-suite emphasizes its importance and sends a message to the rest of the organization—security is a priority. While independent, they need to work closely with, and in many cases teams are integrated with, dev and IT Ops in effort to deliver a seamless, secure user experience. 

Most candidates for CISO have previous experience as security engineers and auditors, though some come from the IT Ops, engineering and product development worlds as project managers, developers or architects, who have focused on security as a component of their roles. Either way, there is a sizable gap between the number of security professionals needed in today’s digital enterprises and the number of capable professionals to fill those roles. Closing this gap is why we created an entirely new category of training specifically dedicated to security

Ready to hire or promote a CISO? Here’s what to look for.

If you create, collect or store data that is valuable to people outside your company, the CISO role, or at least the mindset, is critical to your organization’s future. To fill the position at your company, make sure qualified candidates have real experience with things like penetration testing, digital forensics, incident response and security auditing. Your CISO will need a broad understanding of data, digital assets and associated query languages. They’ll need to understand the principles of secure design and coding, and be comfortable with programming. This will allow a CISO to support systems in place, as well as create tools to ensure code and data security in some instances. 

Finally, a good CISO will work with influencers across your entire organization. Getting things done across departmental and structural lines requires leadership and team development skills. Strong communication skills and an understanding of how changing business needs drive security innovation are also skills you’ll want in a top tier leader.

But, not every company is ready for a CISO

Depending on your organization’s IT and security maturity, your business might not be ready for a dedicated CISO. And that’s okay—you still have the opportunity to improve your organization’s security profile; it just has to be approached differently. If your company isn’t ready yet, here are some things to consider in the interim:

  • Deputize a company-wide security expert. This person need to be influential and trusted enough to  implement changes across team.
  • Train your current IT teams in security best practices. Sometimes it’s just a case of not knowing what you don’t know. By teaching the team about the security threats and ways to mitigate security risks, you may find they are able to implement more secure practices directly into their day-to-day. Additionally, it can be a lot of fun playing the “bad guy” or “spy” and pen testing your own teams’ applications and offerings.
  • Build a security awareness guild. Bring security evangelists from across the organization together on a regular basis to discuss and educate each other on the risks and ways different teams are handling them. Then ask them to disseminate that information throughout the organization.

Bring the CISO mindset to the organization before the CISO—make security training and education your most important company-wide security policy. This will make you org more secure while preparing it for an eventual security team to increase the efforts in the future.

The real benefit of having a CISO

Your organization’s data is incredibly valuable, whether it’s your intellectual property, your customer’s personal data or internal communications—but all that data creates a liability. Having a dedicated security officer on your company’s leadership team will help drive the policies and behaviors that will ultimately protect your organization from an embarrassing data loss, and the potential additional losses that stem from fines or lawsuits that follow.

It’s not enough just to hire a CISO. You need to empower them to drive changes that will protect your organization from these very real risks. While they may be able to advocate for change as a member of particular team, elevating the security officer to a C-level leadership position gives them the authority they need to align security needs with your business objectives.

With every new announcement of a security lapse or stolen data, your organization’s security practices become even more critical. It may be time for you to give security the attention and emphasis it deserves by hiring your own CISO.

Learn more about how you can keep your organization safe with our information and cyber security training.

Contributor

Gary Eimerman

(VP of IT Pro Content) heads up the IT pro curriculum at Pluralsight. He brought his expertise over from TrainSignal, where he spent eight years helping to grow the company into the leader in online IT training. Gary has a B.B.A. in Management Information Systems from University of Iowa and brings hands-on experience with computer hardware, networking and administration, as well as a passion for education, to the Pluralsight team.

You can follow him on Twitter: @garyeimerman.