The Purview of a CISO
Sivan Tehila, co-authored by Jacob Leichter
Many industries function very much like a ship, be it a sailing ship of old or a modern spacecraft voyaging among the stars. Each person aboard the vessel has a different role to serve based on their unique skill set to contribute to the fulfillment of the mission. Cybersecurity is no different, requiring a diverse array of individuals to construct the defensive layer around their organization’s resources. While each role is crucial, none is more important than the captain. In cybersecurity, the Chief Information Security Officer, or CISO, sits at the helm of the security team and guides its progress.
Despite cybersecurity’s significance today, the CISO is still a relatively new addition to the corporate hierarchy. This executive position first emerged in 1989 and rapidly evolved in lockstep with the expanding role of technology in business operations later in the 90s. What began with a focus on internal processes and tools has since grown to include people, compliance, and the furthering of business objectives. However, the exact responsibilities and daily obligations of the CISO may be unfamiliar to or misunderstood by organizations looking to improve their security posture. This article should help shed some light on the role of a CISO and how it can benefit an organization.
There are a good number of duties that fall within the purview of a Chief Security Information Officer. Fortunately, many of them are connected and have some part in supporting the various endeavors of the CISO. Here are five core responsibilities for a CISO:
1. Designing a Security Architecture and Strategy
As the Chief Information Security Officer, it falls upon this individual to spearhead the creation of a security strategy and architecture to protect company resources. How intensive this undertaking must be will vary on a case-by-case basis. The CISO must assess the situation at hand and use that information, along with available resources, business needs, and the risk landscape, to develop an effective security program. Because cybersecurity is a constantly shifting field, the CISO may need to revisit the design and make modifications as new threats emerge or as the company’s objectives change.
2. Supporting Business Objectives
When designing the company’s security strategy, a key detail to understand is the ultimate aim of the organization. Having this information is essential for determining how to best protect company resources. The CISO needs to chart the security posture’s course and implement tools that do not impede business operations. To that end, the CISO must have strong communication skills both to understand stakeholder expectations and to explain technical jargon to non-technical personnel.
3. Ensuring Compliance
Various industries are governed by different regulatory bodies and legal obligations. Some examples of these include PCI DSS, ISO- 27001, HIPAA, GDPR, and others. Organizations that are beholden to these regulations may be required to implement certain practices into their security operations. Companies must also undergo periodic audits from third-party bodies to verify compliance. CISOs need to be aware of these legal requirements and confirm that they are being upheld and documented appropriately. If necessary, the CISO should be able to communicate the importance of these regulations to stakeholders, other executives, and employees in a clearly understandable fashion to ensure that everyone is apprised of the expectations.
4. Incident Response
Perhaps the most stressful entry on this list, the CISO needs to be the level-headed leader to navigate an organization through an incident. Events can occur at any time and often without warning. The CISO must develop an incident response playbook and train the security team on how to run response activities to contain active events. Further investigations should be conducted after containment to gather more information and to ensure that mitigations are put in place. Most importantly, the CISO should analyze the event and learn from it to prevent such incidents from occurring again. As part of effective cyber resilience efforts, the CISO must also stay apprised of existing and developing cybersecurity trends to prepare for any potentialities that may strike the organization.
5. Cybersecurity Training and Awareness Program
An organization’s security posture is only as good as its weakest link. Unfortunately, the human element tends to be that weak link. The average employee may not know how to navigate the Internet safely or how to avoid falling prey to common threat actor tactics. It falls upon the CISO to devise and conduct regular training for all employees to keep that first line of defense aware of smart Internet practices. Additionally, the CISO must create strong Identity and Access Management policies and onboarding/offboarding policies for potential and former employees, respectively. Managing users to prevent any abuses of privilege or disclosure of sensitive information is critical to keeping company resources secure.
While these are some of the key responsibilities of a Chief Information Security Officer, they may not always be part of the CISO’s daily schedule. The everyday routine more commonly involves cyberthreat intelligence briefings and meetings with various departments and personnel from across the organization to evolving business needs, planning potential updates to the security strategy, and coordinating the overall security program of the organization. Additionally, a CISO may be occupied with compliance audits or, in worst-case scenarios, an unexpected incident or outage.
Many executive positions come with their stressors and that of the Chief Information Security Officer is no exception. A February 2020 survey of CISOs across the United States and the United Kingdom conducted by cybersecurity firm Nominet revealed just how severe the demands are on those in this role. Overall, 88% of respondents categorized themselves to be under moderate to high stress, with this figure being a 3% decrease from the previous year’s findings of 91%. This resulted in negative impacts to both mental and physical wellness, at a reported rate of 48% and 35% respectively. The rigors of being a CISO even led 90% of survey participants to consider taking a pay cut for a better work-life balance. Unfortunately, all of this stress results in a high turnover rate, with the average term for a CISO lasting only 26 months. These findings are concerning and represent the reality of security practitioners as the need to guarantee data security and defend against cyberattacks increases.
Given how critical cybersecurity is to organizations in all industries, having strong leadership is essential. The Chief Information Security Officer is the individual responsible for steering a business in the direction of effective security. This insight into the duties of a CISO should be helpful for organizations to make a more informed decision when selecting a candidate to step into that role. The CISO is an essential component of any corporate framework. Protecting client and corporate data is becoming increasingly critical as attackers target organizations of any size and across all industries. Positioning one individual at a security team’s helm to steer them in the best possible direction facilitates this process and positions the company for success in their defensive efforts.