In the past, businesses were run by a small senior management team headed up by a managing director who reported to a president or board of directors. In addition, there were line managers who had a thorough knowledge of their own area, but little else. These were often seen as narrowly focused specialists. Today, however, the business landscape looks different. The top leadership has senior level deputies who are experts in their specific fields while at the same time understanding the business development strategy. This is how the C-suite was born, including, in many organisations a position of Chief Information Security Officer (CISO).
A CISO is responsible for establishing and maintaining processes in an organisation that ensure information assets and technologies are protected and IT risks are reduced. Over the past decade, the presence of a CISO has become standard in business, government and not-for-profit sectors. Today’s evolving number of cyber-threats and targeted cyber-attacks has led to growing demand for CISOs in companies around the world. At the same time, there is an increasing amount of media attention devoted to security breaches in international corporations. These not only lead to financial losses, but, more significantly – to reputational damage.
The cyber-threat landscape has emphasised the CISO’s importance, raising the role to a new level. Many organisations now include their CISO on the board of directors and give them the authority to make important decisions.
Challenges faced by CISOs
When CISOs are part of the board of management, their challenges fall broadly into two areas: the first – which we can call ‘lost in translation’ – is a result of the language difference between the CISO and the rest of the board. Technical people usually have a technological mindset; they are focused on their specialist tasks and processes. Before reaching board level they have often lacked the opportunity for true business engagement, even if they have experience as IT generalists. However, the role of CISO requires a strong balance of entrepreneurial understanding, business acumen and technical knowledge.
The CISO is a relatively new role and does not yet have a professional map. Today they manage a wide range of areas: security strategy, IT risk management, threat management, identity and access management, security performance management, IT compliance management, third-party security, and security architecture.
A CISO’s second challenge lies in choosing appropriate vendors for solutions to help manage these areas. The market is overflowing with security vendors, solutions and specialists and it is not easy for an organisation to select those that satisfy its exact business needs. It is essential to pay attention to the integrity of security solutions and their ability to protect complex corporate infrastructure: having ‘just anti-malware’ is not enough; there should be multi-layered protection with flexible centralised control. The protection should be ready to provide additional security measures beyond anti-malware, such as application control and data encryption. Given the diversity of corporate IT infrastructure, mobile and virtualised endpoints also need protecting. Moreover, it is not only a specialised solution that should be implemented. Expert services and support are also a very important part of corporate IT security. Given the complexity of the task, the more vendors and solutions that are involved, the harder it is for the CISO to develop and execute a truly dependable IT security strategy.
The latest research shows that people hold a CISO position for an average of 18 months* and there is an obvious reason for that. This period coincides with the complete cycle of one IT solution procurement and implementation process, the results of which could demonstrate whether the CISO made a strategically correct decision or not. So choosing the right partners appears to be crucial for the survival of the CISO.
A few pieces of advice for CISOs
If your career goal is to become a CISO, the following steps should help you:
- Remember to negotiate a security budget. The procurement decision of a security solution should not be based on costs alone, but on a qualitative analysis of the company’s needs, regulatory compliance, the cyber-threat landscape and IT risks.
- Become a trusted advisor in your company. Be aware of security risks to company data, and be able to identify and follow industry trends. Make strategic decisions: you cannot be focused on just a few problem-solving issues; you need to have a bird’s-eye view of all problems, at the same time. This also involves choosing an appropriate IT vendor, one that provides solutions, not just products.
- Bear in mind that your organisation is a target. It’s likely, not just probable, that it will be attacked. You need a comprehensive security strategy in place. This should cover the whole corporate infrastructure, contemplate necessary changes to that infrastructure over time and leverage expert security intelligence to provide an effective defense.
- Be prepared to find common ground with board members. You will need to communicate effectively on matters concerning IT risks and how they may affect the business, considering the bigger picture and the business’s strategic direction. Have an open mind and gain cross-functional knowledge and skills. Stop talking to the board in technical language and start using business language.
Be human. Build relationships inside your organisation and earn credibility. You have to lead your workforce on the way to a secure future. Remember that technologies cannot work without appropriate human behaviour so it is important to have your staff on your side when you make changes, or implement new procedures. If employees are resistant, be sure to educate them about your policies, to bring them on board. Importantly, the process of strengthening security should not have a negative impact on employees or prevent them from working efficiency, so listen to their concerns and implement processes to help them.
By Kirill Slavin, General Manager at Kaspersky Lab