How to Get the Best Out of Your CISO

Saragossa

To many, the term ‘CISO’ is one that carries more than a little uncertainty.

The position of Chief Information Security Officer is still relatively new, and many companies are looking to hire them while at the same time being unclear on exactly why they need one, what their CISO will be doing, and where in the business they should sit.

Despite security’s importance and the ever-increasing spotlight on it, for many companies, security is still treated as an afterthought, as an inconvenience, and as something to be considered only when absolutely necessary or when something has gone wrong.

Research conducted by Nominet Cyber Security and Osterman sheds some light on just how problematic the position of CISO currently is in many industries. Most CISOs feel that they are lacking the resources required to adequately defend their organisations, with over 70% having found some form of malware in their networks as a result.

That’s not all – a third of CISOs feel that their boards do not fully understand the parameters of their role, and as such expect to be fired or otherwise reprimanded as soon as a serious breach happens. Understandably, this leaves CISOs feeling somewhat under the cosh, with every single CISO surveyed by Nominet reporting that they found their role stressful, with 91% saying their stress levels were moderate to high.

So, there are a few questions that we can ask regarding the role of the modern CISO. What does a good CISO need? How can companies ensure that they are getting as much as possible out of their CISOs? How does the position look likely to change in the future?

Gary Hayslip, EvoNexus Selection Committee Member

The CISO role is a special one because of the unique mixture of skills it requires. A good CISO needs to be both technologically savvy and capable of communicating effectively with different stakeholders. They need to work in close partnership with Government, Regulatory, Compliance and Legal personnel in order to ensure their security coverage is adequate.

Most purely technical staff, I think it’s fair to say, aren’t particularly comfortable communicating, and so it’s the CISO’s job to act as the mediator between technical teams and boards.

An IT development background is, I think, the most essential component for a good CISO, as is being a curious person with an inquisitive mind. The speed at which security concerns develop means that CISOs can’t afford to become complacent.

In terms of a CISO’s working day and who they should report to, I think it depends on the size of the company. In smaller organisations, the CISO should report to the CIO. However in larger organisations I believe they should fall under the remit of the CFO in order to balance risk as much as possible.

Barry Coatesworth, CISO

Contrary to what many seem to think, I for one don’t think that a CISO needs to come from a technical background at all. In fact, it may be better if they don’t, as their role is primarily that of a business leader rather than a technical driver. Their job is to understand the security risk landscape at large and to make sure the board is kept aware of the different business cases for investing in different security measures

I don’t see CISOs ever becoming C-Suite members – to put it bluntly, we’re not seen as important enough, and I don’t see that ever changing.

In my opinion, the CISO should report to the CIO, as it’s ultimately the CIO who controls technology finance, and is therefore best placed to determine how much technology spend to allocate to security.

Ian Thornton-Trump, Head of Cyber Security, AmTrust International

How to go about getting the best results out of a CISO will vary wildly from business to business, as ultimately, investments and projects have to align to the overall business’ strategic plan. CEOs need to make sure there is sufficient buy-in from their subordinate C-Suite. That being said, I don’t know of any business that will give every department executive everything they want, as money is not in unlimited supply.

The old-fashioned IT budget or security budget is just not agile enough. I think this is why companies are turning to demand economies, where business needs and the ability to articulate the business value of the proposal are important. I think the days of fixed budgets in IT and IT security are coming to an end – whatever risk model (proactive or reactive) the business decides to follow, big consulting dollars are going to follow – especially when the skill sets just simply don’t exist

With GDPR looming large and an increase in data breach class actions, I think we’re going to see more and more CISOs working alongside – or reporting into – Chief Risk Officer or Chief Privacy Officer. With the advent of a rush to SaaS solutions and third party hosting, I think we will see a more cautious investment in technologies and services – knowing the security posture of your provider is more important than ever in today’s landscape.

My Own Thoughts

Clearly, the position of CISO is one that is changing and will continue to change over the next few years.

Many things about the modern CISO are still relatively unclear. However, one thing that the majority of security professionals I’ve spoken with over the years appear to agree on is that a CISO can only accomplish anything when they are placed within a company who are truly invested in making real change.

Although the CISO might be the one to make the final call on Security matters, Security affects the whole company, and therefore should be more than one person’s concern – ultimately, without sufficient budget and the support of the C-Suite, CISOs are powerless.

Above all, a CISO’s approach to Security needs to be a pragmatic one. Their job is to protect the business, but not to stifle it – to grow as the company grows, rather than acting as a restraint.

A good CISO isn’t someone brought in simply to put up red tape wherever they can. They provide structure and stability, engaging the entire company – not just the Security department – and bringing them along on the journey.

If you’d like to discuss any challenges you may be facing in the Cyber Security job market in more detail, please get in touch with me via LinkedIn or send me an email at leah@saragossa.co.uk.