The Role of the Chief Information Security Officer Although the CISO is unlikely to be configuring the firewall themselves, or writing code, he or she should have a good understanding of how all the network devices work together and a knowledge of what poor programming standards can cost the company and should be able to sit down with technicians and programmers and talk through difficulties.

David R. Bird. MSc Cyber Security, CISSP. Virtual CISO Originally Published on LinkedIn More articles at Cyber Security Intelligence

With the continuous rise in cyber attacks combined with increasing compliance requirements, many businesses are seriously considering appointing a Chief Information Security Officer (CISO) to develop and implement a robust cyber security programme.

The role is still relatively new in the UK and it combines a host of responsibilities including the management of policies and procedures to defend the organisation from both internal and external threats.

Technical Experience

The CISO needs to understand and have experience of a broad range of technical and managerial functions. Although the CISO is unlikely to be configuring the firewall themselves, or writing code, he or she should have a good understanding of how all the network devices work together and a knowledge of what poor programming standards can cost the company and should be able to sit down with technicians and programmers and talk through difficulties.

Business Aptitude

Business experience with third party contracts, intellectual property rights, and an understanding of compliance standards such as PCI DSS, GDPR, ISO 23600 and 27001 are also vital for an effective CISO. Further more, practical experience of setting up and maintaining an effective security operations centre (SOC) team and having hands-on experience with SIEM and other network and security tools that facilitate incident response would be a requirement.

Risk Management

A successful CISO will see the application of policies and controls in the light of managing the cyber risk which includes supply chain risk management, business continuity and disaster recovery risk management. The CISO will also be capable of creating and maintaining policies and procedures which reduce the risk in line with business objectives.

Collaboration

The CISO needs this range of experience and knowledge because he or she needs to be able to effectively communicate with the other senior executives and board members. Building an effective cyber security programme requires company-wide collaboration and the CISO needs to be able to engender that support from all management levels and throughout the organisation. CISOs provide a bridge between executives and IT engineers. They add huge value to the business by providing stability and trust in the IT systems.

Value of a CISO

Recruiting a CISO necessitates an investment of both time and money and it should have full company-wide support to ensure the role a success. Often the CISO can lead a transformation of company culture such that all staff are cyber aware and those at the "front-end", the programmers, developers and IT support roles all have the "security-by-default" attitude.

Enduring security comes about when culture is created where information and systems are protected not just by technology but by changing how people interact with them. Of course, technology and automation should be used to reduce security events, but ultimately, it's about changing behaviour, and that's what a good CISO can do.

[an error occurred while processing this directive]Just as important, when there is a breach, the CISO will have ensured that incident response and business continuity work together to smooth out what would otherwise be a very expensive event. Interestingly, research conducted by the Ponemon Institute found that those companies with a CISO saw a reduction in the cost of a data breach by $7 (£5) for each record. Many breaches are hundreds of thousands or millions of records.

Another benefit is Brand Differentiation. When appointing a CISO it is worthwhile announcing it because it shows your clients and your suppliers that you take cyber security seriously. Appointing a CISO is a business differentiator that gives your business on edge.

Cyber criminals themselves recognise the value of the CISO as they are now focusing their criminal activities on small and mid-sized businesses (SMBs). They realise that SMBs are less likely to employ a CISO and be able to develop a robust information security programs in way that larger organisations have put in place.

The Challenge

Unsurprisingly, these kind of high calibre CISOs are in very short supply and recruiting them is a real challenge both in the UK and across the globe. As a result, those with the expertise and experience are in high demand and command some of the highest salaries. In addition, the average tenure of a CISO is only 18 to 24 months which not only causes programme continuity difficulties but requires that the whole recruitment process with all its attendant costs repeats with an alarming frequency. What are the solutions to this?

The Solutions and Alternatives

We'll discuss several solutions and alternatives in the Part Two.

About the Author

David R. Bird is a board advisor on cyber security. He works in a consultative capacity with your security team to develop and improve the cyber security program. As well as a Certified Information Systems Security Professional (CISSP), David is also an Enterprise Architect (TOGAF practitioner), AWS solutions architect (professional) and PRINCE2 project manager, this with his previous business background as a finance professional ensures that cyber security is always aligned with business objectives.