When compared to the rest of the c-suite, the Chief Information Security Office (CISO) is a relatively new role, but their responsibilities are vital in any business. They are on the front lines of the changing data security landscape.
CISOs have existed for more than 25 years, but today their job responsibilities have grown, and they are moving up the organizational ladder and becoming more integrated with executive teams.
Cybersecurity is more important than ever in company culture, and understanding the role of a CISO is the first step to making sure you’re directing the proper resources and personnel towards building up that part of your culture. The core responsibilities of CISOs are shifting and their top concerns and goals will continue to evolve.
The 5 top priorities of every CISO
CISOs’s roles in executive management are growing. A survey conducted by Fortinet in May 2019 found that 63% of CISOs report directly to the CEO or the board of directors, as opposed to another c-suite executive. The same survey found that their responsibilities are growing as well, but every part of CISO’s job stems from a core group of responsibilities related to maintaining data security.
According to Security Intelligence, CISOs have five main responsibilities to be successful and keep their company safe.
Develop security programs: While this an obvious responsibility, it’s also one of the most important. Their number one job is to keep their company’s information secure, and while compliance audits and training employees are important, everything a CISO does relates to data security and avoiding data breaches. Included in this is their responsibility in leading the team responsible for compliance audits. Compliance with data security frameworks, and being able to demonstrate that compliance, is a big part of how CISOs protect their company against data breaches and the financial and reputational repercussions.
Identify, report, and control incidents: Unfortunately, it’s fairly common for data breaches to happen. Since 2005, there have been more than 9,000 data breaches, and over 10 billion records have been exposed. This is something most CISOs will have to deal with at some point, and it’s a hugely important responsibility. It’s also incredibly challenging, because it requires them to have the right tools in place to detect a breach and documented processes in place for reporting and stopping the breach.
Manage and train data security staff: One person can only do so many things at once, so it’s important for CISOs to have staff that is well trained on their company’s security measures and protocol for breaches, as well as regular training to keep their knowledge up to date. Security Intelligence puts it this way: “The security threat landscape changes daily, and today’s experience is only a starting point toward defending the enterprise against tomorrow’s threats.”
Monitor threats and take preventive steps: Cybersecurity threats come from many places, and it’s impossible to track all of them by yourself. CISOs must be an active part of the cybersecurity community so that they can monitor and be aware of potential threats — both to their businesses and others. This kind of network helps a CISO to keep their company’s data safe and ensure they’re training their staff on likely threats.
Communicate with their colleagues: In addition to training their security staff, CISOs need to communicate continuously with employees so everyone understands their role in cybersecurity efforts. With a single click on a malicious link or a response to the wrong email, one person can open up their company’s entire network to a virus or other breach. Helping all employees understand the methods that cybercriminals use is a crucial step in keeping their business secure.
There’s a lot at stake if a CISO loses focus on these core responsibilities. Like any busy executive, they have to prioritize their time and attention and stay vigilant to potential threats.
What skills are most important for a CISO to have?
While IT knowledge and cybersecurity experience are obviously critical for CISOs to have, there are some additional skills that CISOs need to be successful.
Planning and project management: CISOs are often juggling many different projects, programs, and issues at the same time. They also have the added responsibilities of managing a team.
Relationship building with executives: Like any executive or department head, a CISO is responsible for making the case for new cybersecurity directives, speaking up for a budget that meets their needs, and helping other executives understand the importance of their team. To do this, CISOs need to be able to build relationships with people and build trust with them. A CISO who is too insular or poorly connected within their company will flounder.
Incident management: One of a CISO’s most common day-to-day activities is incident management — whether it’s recording and reporting a hacker’s attempt at accessing information that was thwarted or dealing with a breach in progress. CISOs need to understand who to communicate with, what to prioritize, and how to contain and mitigate active incidents.
Policy development and management: Because the activities and threats under their purview are constantly changing, and there are always new threats that need to be addressed, CISOs need to confidently and skillfully develop policies to address new threats and make certain those policies are followed and executed. This means understanding what is practical in their unique organization, knowing how to successfully implement new policies, and always ensuring new policies meet legal and regulatory requirements.
Communication skills: CISOs are often a liaison between the cybersecurity function of their business and the rest of the company. Most people in any given business do not have a detailed understanding of cybersecurity threats and best practices, so CISOs need to be able to communicate with and empower people outside of their department. Teaching others their role in cybersecurity, whether it’s helping executives see the need for a budget increase or helping employees understand how to create strong passwords, is a critical role that only the CISO can play.
The biggest concerns CISOs are dealing with
Manual processes slowing them down: One of the top three concerns for 57% of the CISOs surveyed in the Fortinet survey was that too many of their information security processes are manual, and only 26% of the CISOs surveyed stated that they had purchased and were utilizing an end-to-end integrated security system that allows them to automate and have full visibility of their processes. This is a huge concern moving forward since hackers are only getting more efficient and better at identifying and exploiting data security weaknesses. Manual processes can also slow down external IT audits and compliance efforts in general. Compliance teams must collect a lot of evidence to pass each external audit. If all evidence is collected and organized manually, it will be all too easy to make mistakes as an organization scales up its IT compliance effort.
Staffing challenges: CISOs need to have an educated and experienced staff, and top talent is difficult to recruit and retain. In a list of the top 10 concerns of CISOs, SearchSecurity identified staffing issues as fourth on the list. Not only is finding qualified IT staff difficult but retaining them is even harder. Omar F. Khawaja, CISO at Highmark Health, said that three years ago his attrition rate was between 33% and 50%, but as a result of policies he designed to engage employees and identify risks, he has lowered it to 5%. It can be difficult for CISOs to focus on this part of their job role, but keeping turnover low is crucial to keeping knowledge on the team and lowering the amount of time spent on training and onboarding.
Hackers/attackers: In the Fortinet survey, each CISO surveyed was asked what the top three industry challenges were, and the most common answer was hackers and attackers. Hackers are utilizing more advanced technology and new methods of gaining access to and exploiting business’ data. As soon as cybersecurity professionals find a way to protect against one kind of attack, hackers find another way in. CISOs have to fight hackers on many different fronts: ensuring employees are trained on strong passwords and not opening infected documents or links, monitoring their networks, ensuring their cloud storage is secure, and more.
Expanding responsibilities: As discussed earlier, CISOs are becoming more visible, which is a positive thing that can help them get the support and resources their team needs. But CISOs can be saddled with additional responsibilities that are unrelated to their core mission. They are increasingly becoming responsible for things like physical security, audits, operational technology, and more. These additional responsibilities are a positive development, and it means businesses are seeing the value in utilizing CISO’s experience and expertise. At the same time, CISOs will have to adapt and learn to manage these tasks alongside their most important data security responsibilities.
Growing frequency and size of cyberattacks: Cyber attacks are becoming more frequent and larger in scope. In 2006, the biggest cyberattack involved the exposure of 94 million credit cards, while the biggest cyberattack of 2018 involved 500 million of Marriott International’s customers. As our security systems and efforts grow and change, so do the efforts of hackers. This increased risk is top of mind for CISOs who don’t want to deal with the same reputational damage that Marriott, Target, Equifax, and countless others are dealing with.
What are a CISO’s main priorities moving forward?
The Fortinet survey describes eight best practices of top-tier CISOs — the 19% of those surveyed that reported zero intrusions — employ, and while they are all eye-opening, the top three are especially worth mentioning.
Increasing their budgets: Top-tier CISOs in the past year was 266% more likely than the other CISOs to report a dramatically increased budget for the last year. And even though it is a key indicator for success, finding those budget dollars can be very difficult in practice. To accomplish this, CISOs have to sell their team’s value and incorporate data security into the corporate culture.
Measuring and reporting vulnerabilities that are blocked and found: The top-tier CISOs were 93% more likely to measure and report the vulnerabilities they found and remedied. If CISOs aren’t tracking and reporting their vulnerabilities, they’re losing the ability to manage future vulnerabilities. They can’t understand or help others understand what they’ve dealt with in the past and what they will likely face in the future.
Tracking compliance measures and data: A huge challenge that CISOs are facing is that as compliance requirements grow and change, tracking all of the compliance controls in place becomes more difficult. Compliance evidence is stored in one place, sign-offs are done through email, compliance activity records are stored in another place, new frameworks have to be researched and the compliance requirements have to be teased out, and the CISO can’t track all of it effectively to ensure their compliance program is up-to-date and functioning as it should. End-to-end integrated security solutions, which we’ll discuss next, are crucial for seeing every part of a security program and ensuring it’s functional, and the same thing is true for a centralized compliance solution.
A compliance software such as Hyperproof gives CISOs the ability to quickly see an overview of their compliance program, the health of their internal controls environment and allows the compliance team to dig into any areas where they find vulnerabilities or issues.
Utilizing end-to-end integrated security solutions: The CISOs who reported no intrusions were also 52% more likely to report utilizing an end-to-end integrated security solution. Because new threats are constantly emerging and cybersecurity professionals have to move faster and faster to head them off, these kinds of fully integrated solutions are the most powerful solution. They solve the issue that so many CISOs reported having with manual processes, and they give CISOs full visibility into and control of their security efforts.
What’s next for CISOs?
The role of a CISO is complex, growing, and changing. The importance of an experienced and well-resourced CISO is crucial to modern businesses that must face the reality of constant cybersecurity threats.
As business leaders move forward into this changing landscape, they should evaluate whether the right person holds the CISO role, if they’re supported by the company’s culture and the rest of the executive team, and if they have the resources and budget to create the environment necessary to adequately protect the business and maintain customer trust.