While cyber-security risks are top of mind for many executives, not many have considered bolstering their capabilities in this area via an addition to the management team. But it may be high time do so by hiring a chief information security officer (CISO).
Five years ago, hiring a CISO would have been superfluous. However, as companies continue to expand their technological footprint, they are also more vulnerable to cyber attacks. Having a CISO on board is necessary to alleviate and asses cyber-security risks.
Much of the challenge to hiring one comes from defining the CISO’s role against that of the chief information officer’s. Indeed, the job responsibilities of a CIO are quite different from those of a CISO. The common misconception is that the two positions would be adversarial, but the reality is they often collaborate, says Craig Carpenter, chief marketing officer at cyber-security firm AccessData.
CIOs ensure that the information-technology infrastructure enables employee functionality. They use technology to create efficiencies in the company. CISOs safeguard intellectual property or protect against data breaches. For the most part, the CISO helps C-suite executives make judgments by “lending an independent voice to the discussion,” says Eric Friedberg, co-president of computer forensics firm Stroz Friedberg.
The main function of a CISO is to lower a company’s risk in respect to the security compromises that can happen via a network. From a board-level perspective, CISOs give visibility to and quantify the risks in a company. It’s helpful to have a role dedicated to those responsibilities, Carpenter says.
Typically, CISOs ensure there are adequate policies and procedures in place for cyber and physical security. Then, they assess the security risk relative to those policies and procedures. From there, they are responsible for identifying to the C-suite and the board those gaps in policies and procedures, Friedberg says.
“They have to have a strong technical background but more importantly they have to be steeped in risk-management issues and risk-management standards,” Carpenter adds. “It’s largely an assessment and communications role.”
CISOs also have to be well-versed in IT, take an interest in security, understand the business and, most importantly, be able to communicate risks effectively to the C-suite. If an incident occurs, and CISOs can’t communicate the problem, their value to a company becomes minimal at best, Carpenter says.
“They can’t walk into a board meeting and talk tech” to board members who won’t understand the technology jargon, Carpenter adds. “[The CFO's] business isn’t to understand malware or advanced persistent threats. Their eyes will glaze over.” The CISO needs to be able to break down those risks in ways executives can understand, he says.
While most CISOs currently answer to the CIO, Carpenter says their job is more aligned with a CFO’s responsibilities. First, like a CFO, a CISO’s job is often to say no. Second, when a cyber attack occurs, the CISO has to shut things down, investigate the threat, understand its damage to the company and figure out where it came from. “That’s what risk managers and CFOs do, too,” he says.
In fact, although CIOs and CISOs work together, it can be hard for them to see eye-to-eye on what kind of technology and systems a company should invest in. The CISO often believes security outweighs access. A CIO may discourage the CISO in this regard, but “if [the CISO] reported to the CFO, the CISO wouldn’t get overruled,” Carpenter says.
Yet, hiring a CISO can be challenging. For the most part, the position is relatively new, and finding qualified individuals can be difficult. The majority of CISOs have an IT background, but there still aren’t enough people out there to fill the role of a tech-savvy, polished executive. Ultimately, it’s a big investment, Carpenter says, but one that needs to be made.