Security changes quickly; a CISO can help
Security is one of the fastest evolving and most complex areas of information technology and a critical concern for most companies. Threats to the security of data are increasing and organizations continue to struggle with the changing cybersecurity landscape and regulations. Sadly, security incidents and data breaches are common occurrences.
Companies are realizing the need for having a Chief Information Security Officer (CISO) as an executive responsible for making security decisions.
A dedicated CISO
Still, relatively few companies have a dedicated CISO. And hiring that expertise can be very expensive. Based on the size of your organization and the complexity of your business structure, a full time CISO might not be the best investment. Ascend Technologies offers an alternative to a full-time hire; a vCISO (virtual Chief Information Security Officer).
Having worked with dozens of clients on many projects across many industries, below are the most common questions we get regarding what the CISO should be doing.
What is the role of a CISO?
The CISO advises the executive team on what is required to meet security requirements to do business in their given industry. The CISO oversees a team that, together, has as a view of the risks facing the enterprise and puts in place the necessary security technologies and processes to minimize the risks to the organization. He or she is empowered to communicate risks to decision makers and take action independently when necessary.
Do I need a CISO?
Yes. The role grows in importance with every security breach, vulnerability and incident that occurs. Security threats have been much more aggressive in the last few years and range from a hacktivist to criminal organizations.
What attributes does a CISO need?
Executive Presence
The CISO should have the executive presence to effectively represent the organization’s position regarding information security and the ability to influence executives. Being able to identify and assess threats, and then translate the risks into language executives can understand is critical.
Business Knowledge
The CISO needs to understand business operations and the critical data the organization is trying to protect. He or she needs to view business operations from a risk versus security perspective and implement controls to minimize risks and business disruptions.
Security Knowledge
A CISO must be capable of understanding complex security configurations and reports from a technical perspective, and then translate the relevant technical details into language that other executives can understand.
What job responsibilities does the CISO have?
A CISO would be tasked with the following objectives, but specific responsibilities would depend on the size and maturity of the organization.
Reporting & Executive Management Communication
Developing reports, presenting, and advising top executive management on all security matters.
Risk Assessment
Performing risk assessments to understand the overall vulnerabilities of any particular asset within the organization.
Strategic Security Roadmap
Developing a roadmap and budget with sized, sequenced, and prioritized initiatives.
Risk Management Program
Evaluating and advising on new security threats while maintaining a risk register and corrective actions plan.
Regulatory Compliance & Audits
Documenting high level requirements for compliance and assure that strategic goals are implemented within a controlled, secure framework.
Vendor Management
Managing and providing oversight of vendors and leading associated due diligence.
Policy & Procedure Management
Development and adherence to security policies and procedures.
Asset Assessment
Classifying assets based on their criticality and business value.
Security Architecture
Reviewing security architecture for new projects and applications.
Awareness & Training
Maintaining and updating training and awareness plan and materials.
Incident management
Managing, communicating, and coordinating a response to security events and incidents.
Do all organizations need a CISO?
In a perfect world, every company would have a CISO. The role of CISO has become critical to the operation of organizations, regardless of the industry and size. However, a small to mid-sized business may not be able to justify a dedicated CISO. In those cases, a vCISO, partnering with the CIO could look to share responsibilities of a more traditional CISO and leverage partners to provide guidance.
What are common pitfalls with hiring a CISO?
Organizations often find themselves using existing internal IT professionals who are focused on operations and have little experience with delivering a risk assessment to solving complex business-related issues. The CISO really needs to understand the business risk, not just the IT risk.
A holistic information security approach
An effective information security program can only be achieved when a holistic approach is adopted. This approach should take into consideration the people, processes and technology of information security while adopting a risk-balanced, business-based approach. The success of an information security program has as much to do with people and process as it does with technology.
Ascend’s Managed Security Services team can help with management and oversight of the information security program at your organization. And leveraging one of our security experts as a vCISO is a critical piece in building an overall strategy that protects your business and critical data. Contact us to learn more about our vCISO support options.
By Mike Manske