You have a chief executive for every critical department in your company: finance, marketing, technology, operations, etc. There are plenty of ongoing projects and responsibilities that fall under those department umbrellas — like information security.
Every business should have some team dedicated to keeping their digital assets safe, but that doesn’t mean every business needs to make space in their c-suite for an officer dedicated to cybersecurity, right?
Actually, the need for organizations to create a chief information security officer role is only increasing. Over 61 percent of SMBs have reported being the victim of at least one cyberattack over the previous year — a low figure considering that over 93 percent of the world’s business networks are vulnerable to cybercriminals.
Every week, the rate of cyberattack attempts increases exponentially, so as businesses escalate their reliance on digital technologies, they need to prioritize keeping those technologies secure.
So, what does a chief information security officer (CISO) do, and does your business need one?
CISO Responsibilities
A CISO is responsible for maintaining security of an organization’s information and data. While some businesses differentiate between the role of the CISO and roles like chief security officer (CSO) — who might manage physical security — and vice president of security — who does not operate in the c-suite and typically lacks access to the board — many businesses in the 2020s use these titles almost interchangeably, mixing and matching responsibilities as they see fit.
The typical day-to-day responsibilities of a CISO tend to be as follows:
- Real-time analysis of threats and triage when an issue develops
- Maintenance of intelligence regarding developing security threats and education of the board of potential security problems associated with business strategy
- Data loss and fraud prevention within the organization
- The planning, buying and implementation of security hardware and software to create a secure network architecture
- Management of identities and access to different levels of data and processes within the infrastructure
- Program development for the mitigation of security risks
- Investigation of security failures during successful cyberattacks and data breaches
- Governance of security initiatives to ensure proper funding
CISO Requirements and Certifications
Not just any executive can function effectively as a CISO. Because the CISO role is combining business strategy with cybersecurity solutions, CISOs need a strong foundation in IT and cybersecurity, and they also need plenty of experience in business leadership.
Generally, it is advisable for a CISO candidate to have an education background in computer science, with a bachelor’s degree or higher. Technical master’s degrees with a security focus are also notably useful and increasingly popular amongst high-level security professionals.
No member of the c-suite should be fresh from academia; a CISO should also have at least a decade of work experience, and about half of that should be within a management role.
In addition to these credentials, CISOs should have a number of special certifications to demonstrate their familiarity with cybersecurity concepts and skills. CISO hopefuls should pursue certifications from some of the industry’s leading organizations, which include:
- OSCP
- SANS Technology Institute
- ISFCE
- IACIS
- GIAC
- CISSP
- (ISC)2
- IEEE
- CGEIT
- CISA
Not every organization needs a CISO with every certification, but CISOs should have a handful of certifications and be consistently working toward more. Because cybersecurity is a field that continues to evolve, it is imperative that CISOs commit to continuous education and improvement.
CISO Pros and Cons
So, should you create space in your c-suite for a CISO? It depends on a few factors. You might use this quick and straightforward pros and cons list to help you decide.
- Pro: CISOs provide invaluable security guidance and supervision to protect your organization from increasing cyberthreats. Cybersecurity is a significant concern in the Digital Age, and having an executive dedicated to security strategy can keep your business safe.
- Con: CISOs demand a significant salary and top-level benefits. The average salary for a CISO is about $230,800, which is beyond the budget of many SMBs.
- Pro: CISOs can help ensure compliance with cybersecurity laws and regulations. More countries are enacting laws designed to keep user data safe, and CISOs can build compliance with those regulations into the security strategy to save your organization from severe fines.
- Con: CISOs’ responsibilities tend to overlap with those of other tech-focused executives, like CSOs, CIOs, CDOs and CTOs. You might not be interested in adding another c-suite member if you already have a few tech executives on your board.
Seeing the growing importance of cybersecurity, many organizations are hastily making space for CISOs. Knowing more about the CISO role, you can make an informed decision about whether this professional will make a positive impact on your company structure and strategy.
Additionals: