What is a CISO?
A CISO, or Chief Information Security Officer, is primarily responsible for an organization’s cyber security initiatives. In recent years, the CISO role has expanded significantly. CISOs are no longer only technologists, they’re now also expected to participate in high-level initiatives as business strategists.
What are a CISOs specific responsibilities?
1) Security operations: This includes overseeing systems, real-time threat analysis, and defining organizational priorities.
2) Cyber intelligence gathering: A CISO ensures that a given organization uses threat intelligence resources to predict and thwart potential threats, in addition to sharing this information with industry peers.
3) Security architecture: Purchasing the right security hardware and software is important. A CISO facilitates, and oversees this process.
4) Identity and access management: A CISO is responsible for ensuring that system users are authenticated, and that they’re able to access the resources they need, without unnecessary access to resources.
5) Investigations and forensics: If a cyber attack does occur, a CISO is responsible for ensuring proper event investigation, including exploration of the breadth and depth of the attack.
And so much more.
What combination of education, skills and experience are necessary for this role?
Typical candidates for the CISO role have a bachelor’s degree and 5-12 years of related work experience. Some candidates may have masters degrees with a technology bent.
Technical skills needed for the job include:
- Understanding of programming and systems administration
- Strong knowledge of risk management
- Knowledge of DNS
- Knowledge of routing
- Knowledge of authentication best practices
- Knowledge of VPN security measures
- Knowledge of proxy services
- Knowledge of DDOS mitigation technologies
- Knowledge of threat modeling
- Firewall and intrusion detection/prevention protocols
- The ability to communicate risks
- The ability to develop strategic plans aligned with an organization’s mission
- The ability to build strong relationships with others throughout the company
- Interest in emerging technologies
In addition, CISOs also need strong leadership capabilities. CISOs need the ability to manage and motivate teams, which includes providing feedback, learning opportunities, guidance and encouragement. CISOs must also exhibit tenacity, grit and a positive attitude, as CISOs typically spend significantly more than 40 hours working per week.
Who does this person typically report to?
To whom the CISO should report is a somewhat contentious issue. Company maturity, size and industry are often determinants of who a CISO should report to. According to PWC’s 2018 Global State of Information Security Survey, 40% of CISOs report to the CEO (more common in smaller organizations). Twenty-four percent of CISOs report to the CIO and 27% of CISOs report directly to a given organization’s board.
In the past, some CISOs reported to CIOs. However, a PWC report indicates that organizations with this reporting structure in place incur financial losses that are 46% higher than those of organizations with a different reporting structure.
What has the evolution of the CISO role looked like?
The evolution of the CISO role has occurred at lightning speed. Previously, technical knowledge and management know-how were enough. Now, CISOs are expected to function as business enablers, and are more visible within organizations than ever before. Increasingly, CISOs are being considered as part of the C-Suite.
What does the future of the CISO role look like?
Given the global transitions to remote work, experts predict that the CISO role will intensify, offering extraordinary opportunities to show technical and strategic competence, along with business leadership savvy.
What challenges does a CISO typically face?
A CISO may incur pushback or obstinance in the face of introducing new policies and best practices. For example, new password management requirements may prove challenging for employees to adopt and grow accustomed to, breeding frustration and resentment.
In small-to-medium sized enterprises, CISO may also experience challenges in securing budget for needed improvements and projects. The ability to neatly summarize requirements, rational and projected outcomes when speaking with decision-makers is key.
Notable quotes about the CISO role in the wake of the coronavirus:
“When the stay-at-home orders finally end, and employees start returning to the office, we’re going to have to take more of a hybrid approach to security. We’ll go back to traditional security plans, and we will also need to maintain the flexibility that we gained as a result of the coronavirus,” Jony F.
“Rather than thinking of the coronavirus and stay-at-home orders as an obstacle, CISOs should see the situation as an opportunity to demonstrate our strength and capabilities. We were able to react swiftly, to change systems, and to enable our enterprises to keep going. Executives and the whole organization felt the importance and positive influence that the cyber security team has on day-to-day operations,” Jony F.