Innovations in Comfort, Efficiency, and Safety Solutions.
Role of the Chief Information Security Officer
Although the CISO is unlikely to be configuring the firewall themselves, or writing code, he or she should have a good understanding of how all the network devices work together and a knowledge of what poor programming standards can cost the company and should be able to sit down with technicians and programmers and talk through difficulties.
|David R. Bird. MSc
Cyber Security, CISSP. Virtual CISO
Originally Published on LinkedIn
More articles at Cyber Security Intelligence
continuous rise in cyber attacks combined with increasing compliance
requirements, many businesses are seriously considering appointing a
Chief Information Security Officer (CISO) to develop and implement a
robust cyber security programme.
The role is still relatively new in the UK and it combines a host of responsibilities including the management of policies and procedures to defend the organisation from both internal and external threats.
The CISO needs to understand and have experience
of a broad range of technical and managerial functions. Although the
CISO is unlikely to be configuring the firewall themselves, or writing
code, he or she should have a good understanding of how all the network
devices work together and a knowledge of what poor programming
standards can cost the company and should be able to sit down with
technicians and programmers and talk through difficulties.
Business experience with third party contracts,
intellectual property rights, and an understanding of compliance
standards such as PCI DSS, GDPR, ISO 23600 and 27001 are also vital for
an effective CISO. Further more, practical experience of setting up and
maintaining an effective security operations centre (SOC) team and
having hands-on experience with SIEM and other network and security
tools that facilitate incident response would be a requirement.
A successful CISO will see the application of
policies and controls in the light of managing the cyber risk which
includes supply chain risk management, business continuity and disaster
recovery risk management. The CISO will also be capable of creating and
maintaining policies and procedures which reduce the risk in line with
The CISO needs this range of experience and
knowledge because he or she needs to be able to effectively communicate
with the other senior executives and board members. Building an
effective cyber security programme requires company-wide collaboration
and the CISO needs to be able to engender that support from all
management levels and throughout the organisation. CISOs provide a
bridge between executives and IT engineers. They add huge value to the
business by providing stability and trust in the IT systems.
Value of a CISO
Recruiting a CISO necessitates an investment of
both time and money and it should have full company-wide support to
ensure the role a success. Often the CISO can lead a transformation of
company culture such that all staff are cyber aware and those at the
"front-end", the programmers, developers and IT support roles all have
the "security-by-default" attitude.
Enduring security comes about when culture is created where information and systems are protected not just by technology but by changing how people interact with them. Of course, technology and automation should be used to reduce security events, but ultimately, it's about changing behaviour, and that's what a good CISO can do.
Just as important, when there is a breach, the CISO will have ensured that incident response and business continuity work together to smooth out what would otherwise be a very expensive event. Interestingly, research conducted by the Ponemon Institute found that those companies with a CISO saw a reduction in the cost of a data breach by $7 (£5) for each record. Many breaches are hundreds of thousands or millions of records.
Another benefit is Brand Differentiation. When appointing a CISO it is worthwhile announcing it because it shows your clients and your suppliers that you take cyber security seriously. Appointing a CISO is a business differentiator that gives your business on edge.
Cyber criminals themselves recognise the value of the CISO as they are now focusing their criminal activities on small and mid-sized businesses (SMBs). They realise that SMBs are less likely to employ a CISO and be able to develop a robust information security programs in way that larger organisations have put in place.
Unsurprisingly, these kind of high calibre CISOs
are in very short supply and recruiting them is a real challenge both
in the UK and across the globe. As a result, those with the expertise
and experience are in high demand and command some of the highest
salaries. In addition, the average tenure of a CISO is only 18 to 24
months which not only causes programme continuity difficulties but
requires that the whole recruitment process with all its attendant
costs repeats with an alarming frequency. What are the solutions to
The Solutions and Alternatives
We'll discuss several solutions and alternatives in the Part Two.
About the Author
David R. Bird is a board advisor on cyber security. He works in a consultative capacity with your security team to develop and improve the cyber security program. As well as a Certified Information Systems Security Professional (CISSP), David is also an Enterprise Architect (TOGAF practitioner), AWS solutions architect (professional) and PRINCE2 project manager, this with his previous business background as a finance professional ensures that cyber security is always aligned with business objectives.
[Click Banner To Learn More]
[Home Page] [The Automator] [About] [Subscribe ] [Contact Us]