Threats to information security are leading to innovation within the information technology function. It’s also creating a high demand for experienced information security leaders. The Bureau of Labor Statistics predicts that for information security analysts, jobs are expected to grow 28 percent from 2016 to 2026 —four times the average growth rate for all occupations.
Businesses are also looking at how information security can and should be aligned with their operations at the highest level, which has led to a rise in the number of Chief Information Security Officers (CISOs). The CISO function is new territory for many businesses, but it’s important ground to cover. With the current risk landscape, an executive with the right credentials and expertise can help protect your organization’s valuable data.
Why CISOs Matter
Placing an information security specialist in a C suite position ensures that information security decisions align with the organization’s overall strategy, mission, and risk appetite. Managing the information security function is no small matter because information security encompasses a broad range of activities related to the protection of an organization’s data.
There is a risk management function, which monitors for unauthorized external intrusion into networks, viruses, and other disruptive actors. This includes the cyber risk controls as well as the physical protections around access points, including third-party server locations, and user role policies.
Compliance matters to information security as well. Some types of data must have specific protections in place—such as health care or financial information. Clients may also require information security protocols for vendors and third parties using their information. Companies will need to demonstrate that their controls and data protections meets the various requirements, and be prepared to address any legal issues if it’s found that any protection measures are deficient.
CISOs are also involved with technology decisions. There are the systems and infrastructure that support the risk management reporting on an organization’s data. There are also the cybersecurity considerations that need to be considered with the acquisition of new systems or processes. An executive in the information security role can ensure that most of the pressing information security considerations are addressed early in the new technology acquisition process.
Where CISOs Are Needed
Larger companies and organizations that handle large volumes of sensitive information should consider establishing a CISO position if they haven’t done so already. The more complicated the information security infrastructure, the more a company will need someone in an executive position who can oversee its functions and align its objectives to meet the needs of the company.
If your company does not have a designated CISO, it may want to consider whether its competitors have recently put one in place. In the age where cyber attacks are routinely in the news, a CISO can be a marketplace differentiator. A CISO demonstrates to current and potential clients that the company is being proactive in mitigating its information security risks.
If you are a financial company based in New York, a CISO is now a requirement. In March 2017, the New York State Department of Financial Services (DFS) implemented 23 NYCRR 500, generally referred to as the New York Cybersecurity Regulation. Its aim is to encourage financial services firms doing business in the state to minimize their security risks. Item 500.4a of the law requires each organization to designate a qualified individual to serve as the CISO. This person will oversee and implement the cybersecurity program and enforce the cybersecurity policy. The CISO role may be fulfilled by an existing member of your staff, a member of an affiliate organization, or by using a third party service provider.
In a different vein, your company may want to establish a CISO position if there has been a history of problems with unauthorized access to your systems. Data breaches are devastating to an organization’s reputation, and hiring an experienced CISO can help rebuild trust that your organization takes its information security threats seriously.
Qualities to Look for in a CISO
The ideal CISO has a blend of both management and information technology experience. A Master of Business Administration and other advanced degrees are common education qualifications, just as they are with other C suite positions. In addition, CISOs should have one (if not several) information security certifications. Common certifications include Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and the ISACA’s Certifications in Governance of Enterprise IT (CGEIT).
Experience with enterprise-wide internal governance systems will be important. Part of the CISO’s responsibility entails managing threats to information security and adjusting risk mitigation strategies. A strong CISO candidate might also have gone through a data breach recovery process and would know the ins and outs of managing the crisis and notifying affected parties.
If you have a candidate in mind for a CISO who may not have all of the necessary experience (such as an employee currently serving in an information security capacity), consider the role that training or certification courses may play in getting that person up-to-date. Information security is ever-evolving, so ongoing training will be a critical component of your CISO’s success.
Identifying the Right Candidate
By some indicators, the market for CISOs is fairly competitive. Every type and size of organization stands to benefit from high-level information security leadership. Working with an executive recruitment and placement firm may help expedite the process of identifying the right candidate to meet your organizational needs. An external firm may also be able to provide guidance on salary expectations and other compensation arrangements that could make your organization’s position more appealing for potential applicants.
Organizations that are not in a position to bring on a full-time CISO may want to consider a fractional or virtual CISO who can work with them to establish their security maturity baseline. A temporary CISO may be able to develop a roadmap for improving an organization’s security program and reducing its security risks. A fractional/virtual CISO could also be a good placeholder while your organization is growing to where a full-time CISO makes sense.
For more information about finding the right CISO function for your organization, please contact us.
Published on April 04, 2019