Why does every organisation need a CISO?
What has a CISO ever done for anyone?
“Taking information security seriously” has become an essential bullet point on the agenda for any and all businesses in recent years.
But what, exactly, does “taking it seriously” involve?
To quote an article from back in 2014 “Companies that don’t (or won’t) pay security the attention it deserves risk joining a list that includes the likes of Target and Home Depot. It’s time to hire a CISO and take security seriously.” Now, to be clear, that statement certainly isn’t aimed only at organisations of a similar size to US giants like Target and Home Depot – I’ve already written a few times about trends in cybercrime indicating significantly increased risk for SMEs, non-profits and large corporations alike.
So, then, Step 1: Hire a CISO
A quick Google will reveal many articles about the importance of having a Chief Information Security Officer, or CISO, and many coming from a big business angle will be trying to explain why a CISO’s responsibilities must not be included under the umbrella of the Chief Information Officer, or CIO’s role – a common, yet potentially damaging, resource saving exercise. But in reality most SMEs with smaller, or non-existent, executive teams can’t/don’t support a CIO role, let alone spare the resources to create a separate CISO role too.
So they don’t.
And why should they? After all:
What has a CISO ever done for anyone?
According to Bob West, Chief Trust Officer at CipherCloud, speaking in February 2015, “The role grows in importance with every security breach and security vulnerability identified.” So if the 18 months since then are anything to go by, the CISO role is really important.
There is a very important set of core responsibilities assigned to the average CISO, and it will hopefully become clear why these should not become a bullet point at the bottom of a busy CIO’s list:
- They are responsible for setting out the overall security strategy and continually monitoring compliance
- They must possess, and maintain, the technical understanding to stay on top of a continually evolving security landscape with ever more advanced threats
- They should be the first point of contact should the organisation suffer a breach or other security related event
- They should ideally have “the authority and the budget to respond to breaches quickly and efficiently, without getting mired in bureaucratic reporting and red tape – at least until the imminent danger passed and the breach was mitigated.” 
So what’s an SME to do?
There are options, however they are not all without their drawbacks. Against the advice above, the CISO role might be absorbed into the CIO role, or indeed into whichever role that has itself been absorbed into, however I would hope that the dangers of this have been made evident.
The other alternative is a service known as a virtual CISO, or vCISO, whereby an organisation retains a board-level resource to ‘virtually sit inside’ the business and manage their security strategy, budget, review of risks and regulatory programs. They can be available both on-site, e.g. a booked number of days per week, and remotely where needed. This can deliver significant cost savings in comparison to retention of a full-time employee, whilst providing a reassuring presence to business stakeholders – employees and investors alike. This vCISO could simply be tasked with maintaining an existing framework, but could equally be required to implement a framework for the first time, or overhaul an outdated system, and could be retained long-term or, for example in an expanding business, just until the organisation is ready to support a full-time role for itself.
One thing is certain
To not have a clear security strategy in place is to be unprepared, and that is not a viable business plan no matter what size the organisation.
You can read more about our very own vCISO service here.
 – “Why Your Company Needs Both a CIO and a CISO”, http://www.cio.com/article/2684892/cio-role/why-your-company-needs-both-a-cio-and-a-ciso.html, CIO.com from IDG, 17 September 2014
 – “Should your business have a Chief Information Security Officer?”, http://www.techradar.com/news/world-of-tech/management/should-your-business-have-a-chief-information-security-officer–1284320, techradar.pro, 11 February 2015