With all the data breaches and security headlines of the past year, it was inevitable that the role of the CISO would become much more visible. Organizations are increasingly hiring CISOs or creating senior-level security positions, but there is still a lot of confusion about what a CISO actually does.
The job description has changed from mitigating exposure and securing the perimeter, to one of quantifying and managing risk as well as enabling business goals. The job description also depends on the organization’s size and complexity, as well as the scope of overall duties. For smaller organizations, the CISO may just be a one-man security team who is very hands-on. Larger organizations may have the CISO as the central authority managing security operations centers and other enterprise security initiatives.
Security is no longer a back-end process or focused on deploying the appropriate hardware and software in the right place. Instead, it needs to be considered as part of every project. CISOs now identify, analyze and evaluate the risks of each initiative, and measure the costs of securing the services with real numbers. CISOs have to think like a CFO to work with individual department to develop a security budget, a legal officer to understand compliance and government regulations, a business analyst to understand business processes and goals, and an HR manager to ensure staff are adhering to security protocols.
CISOs should expect to be in close contact with business leaders across all departments to make sure their needs and requirements are accounted for in a security program. In conversations with a number of CISOs this summer, CISOs emphasized the importance of meeting with business stakeholders regularly, learning all aspects of the business, and establishing trust before implementing a security program. Read on for more insights.
For large organizations, a CISO should be considered an essential member of the senior executive team. Not only does the CISO have insights into the organization’s overall security posture, he or she can also assess new products, acquisitions, and partnerships to make sure everything is sound from a security perspective. It’s tempting, especially for a startup, to think there is no need to have a CISO. The focus is on getting the product to market, drumming up customers and sales, and building a brand. But as we’ve seen time and time again, data is the new currency, and if you trade in it, security is something you need to think about. That may be securing the hardware, the data, or the software itself.
What if your organization doesn’t have the resources to bring on a CISO? A startup named Stealth Worker lets businesses hire security professionals—even CISOs—for part-time hours or for specific gigs, Dark Reading reported recently. And quite a few security providers now offer CISOs on demand. For example, Optiv Security (the new company formed by Accuvant and FishNet Security) provides organizations with virtual CISO, staffed CISO, interim CISO, and CISO Advisory Services through its Office of the CISO offering. And it isn’t the only one.
CISOs need to focus on improving the organization’s security posture in a way that benefits the users and stakeholders. What is the CISOs role, and how does he or she go about fulfilling the mandate?