Is Your Chief Information Security Officer Up to the Task: 3 Questions to Ask
The role of the chief information security officer (CISO) has changed significantly over the last five years as hacking activity has grown in intensity, sophistication, and volume. As cybersecurity today is recognized as much more than a technology issue, the expectation is that the CISO is as much business executive as technical expert.
Although organizations have been mindful of cybersecurity risks for some time, the CISO role only came into wide use over the past 15 years. Initially, the CISO could have accurately been called the “chief system administrator” as the role was largely one of managing security devices, system vulnerabilities, access controls, or regulatory compliance requirements.
Today the CISO’s role is broad and strategic. The technical competencies of yesterday’s CISOs, though still necessary, are insufficient in and of themselves. An effective CISO today must be able to work effectively with business leaders and risk practitioners, as well as the most technical IT staff, security engineers, and other subject matter experts in the strategic management of cyber risk.
As the role of the CISO expands and changes, it’s important that organizations ask the following questions to gauge the effectiveness of their CISOs:
1. Does our CISO have the right skills?
The good news here is that there is no one formula for success. A CISO does not necessarily need a technical background to be successful. In fact, according to a report released by Digital Guardian, 40% of CISOs hold business degrees. CISOs with IT degrees accounted for only 27%, while computer science degrees closely followed at 23%.
The keys for CISOs of all backgrounds are to be effective leaders of people and programs, to understand the business and its IT dependencies, to understand how cybersecurity enables the business, and to productively engage with the CIO and IT leadership. They should engage with this leadership in order to form a common view of the security architecture, define the roles of IT and security operations, and to deliver results by building the right team and the right internal relationships.
In its totality the “right” team would have experience and expertise across the cybersecurity skills spectrum and would include policy and risk management professionals, network security architects and engineers, IT security operations personnel and forensic analysts, incident response specialists, as well as project managers, strong communicators, and others. The CISO’s ability to build and retain teams that best support and complement their skills is crucial.
Importantly, CISOs need to demonstrate that they’re C-suite material through making prudent decisions and engage other enterprise leaders as peers.
2. Can our CISO concisely articulate risks — including current threats, likelihood, and consequences — in terms that company executives and the board can grasp, support, and act upon?
Many organizations are working to define their risk tolerance and risk appetite, and to refine their cybersecurity strategies. CISOs must have a sense of which data and issues should be brought to the board’s attention and know how to present them.
Boards are more likely to understand the business impact of cyber risks if they are presented in financial terms. By understanding where the potential financial impacts would be, the board and C-suite can more efficiently work together to make strategic cybersecurity investments. An effective CISO should therefore be a diplomatic, business-savvy leader and skilled communicator who can identify and match the organization’s security investment with the board’s risk appetite.
Given the ever-changing risk landscape, CISOs should regularly monitor threats, re-calibrating their organizations’ cybersecurity programs as needed and regularly updating the board on new initiatives.
3. Can our CISO move the enterprise toward more precision in cybersecurity risk management?
The CISO is responsible for delivering a cyber risk strategy that protects crucial information assets by implementing cost-effective, risk-based controls. CISOs must understand the organization’s mission, business, technology, risk appetite, and existing cybersecurity capabilities, as well as the cyber threats facing the enterprise.
The essential first step of cyber risk management — or the management of any operational risk —is to characterize the risk. Many of today’s cybersecurity practitioners, experienced in the cybersecurity risk silo, have been steeped in a “low, medium, high” paradigm for characterizing risk. The limited precision and expressiveness of this paradigm today is a painful drag on enterprise risk management efforts.
What is the dollar value of the “1-in-20” cyber risk for the next twelve months? The CISO should have a ready answer. Until recently, available methodologies were too crude and the solution space too wide to allow this question to be answered with any confidence. Yet methods and tools for the quantification of cyber risk in financial terms are increasingly becoming practical and sufficiently reliable for cybersecurity decision making.
The CISO should play a key role in driving the enterprise toward the quantification of cyber risk as well as in implementing practical tools for calculating it. With an understanding of the financial losses of a cyber incidents, the CISO can better develop mitigation strategies through investment in security controls and by identifying the exposures that might be transferred through cyber insurance.
Set up for success
Ultimately, C-suite leaders and board members need to support and empower the CISO — especially necessary when new or enhanced security practices are required or new security investments bring change to legacy business processes.
CISOs can effect change, critical impacting the success and longevity of business today. Boards and C-suites need to ensure that they are selecting and then supporting the CISO in their increasingly critical role to the business. Additionally, boards and c-suites need to reinforce the message that all leaders across the organization have a role in cybersecurity and must work with the CISO to ensure that they are responsive and embrace their specific cybersecurity responsibilities to facilitate the continued success of the business.
The CISO is the focal leader for cybersecurity; however, as the organization’s cybersecurity program adjusts to the changing policies and regulatory guidance at the state and federal levels, all leaders need to ensure that their specific areas of responsibility – legal, human resources, finance, operations, logistics, etc. — are represented appropriately and reflect the business needs in the organization’s cybersecurity program.