How many cyberattacks against large enterprises can you remember to have happened in the past few months? Surely quite a few; almost every day the media report about new cases. Many enterprises are adequately aware and try to protect themselves; however, the security controls needed to confront the danger are increasingly complex. Therefore, an effective and efficient implementation requires that coordination and responsibility be concentrated in one person alone. This is exactly the task of a Chief Information Security Officer – or CISO in short. Do you have one in your enterprise? Well done! You don't (yet)? Well – even the White House did not have one until September 2016, when Obama appointed his first CISO. Let us explain to you what the tasks of a CISO are, what challenges must he face, and why is the appointment of a CISO indispensable.
The core task of a CISO is, plainly put, the “proactive protection of all information and related technology in an enterprise” - that is, your crown jewels. The definition below includes the following duties:
- Compliance with business requirements and securing business continuity
- Guaranteeing governance and data protection by an effective security strategy based upon acknowledged standards, such as the ISO 27001 or the NIST CSF
- Building a risk-oriented security infrastructure with its security guidelines, ICT security controls and appropriate security architecture
- Running an efficient security organisation with monitoring, threat detection and incident response
- Controlling and reporting over compliance with relevant legal requirements posed by FINMA, PCI, SOX etc.
- Promoting security awareness in management and employees
Does it sound easy? Well it is not, if you look more precisely at the detailed contents.
However, even this graphic does not do full justice to the duties of a CISO. Do you want to know in detail, which the subjects are that a CISO should master today? No problem: InfoGuard has a poster for you to download, drawn by our own security officers.
What must a CISO brings to the enterprise
The requirements' profile keeps broadening, and each enterprise has its own. This makes the job at one time wide and most interesting, but also complex and exacting. Therefore, even large enterprises are often desperately looking for the right professional staff, which are hard to come by, and ever more in demand. On one side, professional and technical competence and experience are needed; the ideal person has experience in different branches, enterprises and projects, both in cyber security as well as in general IT. In addition, appropriate training and education are a must; and notions about compliance management should not be left out.
On the other hand, soft skills such as communication, teamwork, durability, trustworthiness and persistence are of utmost importance for this job. Strategies and concepts must be communicated to management and the whole organisation in an understandable and convincing way. Further requirements are a holistic mind-set and the ability to put together complex elements in a meaningful way. Incidentally, the person must also adapt itself into the enterprise and in the team...
Such a combination of professional and social competences is consequently difficult to find.
What is a CISO in for?
It is clear by now, that a CISO is no 0815 job, even less so a 9-to-5. Cyber security is extremely dynamic; technologies such as Big Data, Industry 4.0, IoT or Cloud develop at breakneck pace, and beyond their positive aspect, they also offer a wider surface of attack to hackers. Appointing a CISO is the first step to fight off attacks; however, the prospects of success depend strongly upon the management commitment, which is often not enough. The implementation of the required controls takes a lot of persuasion work and endurance; for a full impact, the cooperation of each single employee at all levels is also needed.
Quite often, the resources required to fill the role of CISO are not available. Enterprises in such a position are well advised to insource the competences (CISO as a Service). Also in the case of a temporary staff shortage, or for special projects like audits and consulting works, or again to broaden internal knowledge, insourcing can be the optimal solution. Avail yourself of an expert with wide skills and many years of experience, who also takes along a valuable different point of view from the outside.
Understand the role of the CISO
As you know, a successful hacker attack can have devastating consequences and leave a long-term mark on an enterprise. Many have already grasped the idea that cyber security is a key component; now is the time to prepare and implement an adequate strategy, and this is only possible where good management is available. This is particularly important due to the dynamics and complexity of ICT security. If you are a CISO yourself, then you should keep these concepts always well clear in your mind; if you do not have one (yet), then you must deal with this theme seriously! In the long term, you will have no alternative but to appoint your own CISO.
CISO as a Service
Do you want to learn more about CISO as a Service? We suggest that in your enterprise you give adequate importance to information security. However, in many organisation the requirements posed on this function do not justify a full-time position, and placing this responsibility on the CIO only makes sense in specific situations. Moreover, persons in charge of security must absolutely maintain their level of knowledge current; but the daily rush limits the time available for keeping up-to-date. The “Security Officer as a Service” by InfoGuard takes care of this critical manpower situation: you receive an experienced specialist, who will support you with flexibility with the duties of a CISO, and will do so in accordance with the individual needs of your organisation. Our experts possess a broad knowledge, keep themselves up-to-date with the relevant themes and with their wide experience of projects in different sectors bring true benefits to your enterprise. The following reference report shows how our customers have taken advantage of our service.
