IT in the C-Suite, Part I: What is a Chief Information Security Officer?
Technology equals opportunity for enterprises: The opportunity to attract new customers, increase efficiency and drive greater revenues.The problem? Technology also presents an opportunity for bad actors: As noted by ZDNet
a new ransomware pack that includes 23 threat varieties could “make malware attacks easier for crooks,” while Symantec’s 2018 Internet Security Threat Report
points to massive upticks in crypto coin mining and mobile device attacks.The result? C-suites now recognize the need for IT executive-level technology experts capable of not just remediating incidents in progress but designing actionable strategies to keep corporate networks safe. These chief information security officers (CISOs) are on the forefront of IT’s shift into the boardroom, but what does this mean for technology pros considering their next career move?
Ideal CISOs recognize that there’s no such thing as “perfect” security; instead, they look for best-fit business solutions.”
What exactly is a CISO? What’s their impact? Who’s getting these jobs, and how do you get started?
Where’s the Need?
As IT shifted from cost center to revenue driver, cyber security became a critical area of focus: Critical line-of-business technologies such as cloud computing, big data analytics, and automation tools are now high-priority targets for cybercriminals. If they can compromise the systems and solutions organizations need to conduct day-to-day business or meet customer service expectations, they’re able to effectively hold companies, hostage, until their demands are met.This changing market drives an IT shift: More companies are now employing CISOs rather than interim security directors or IT contractors to handle infosec issues. What’s more, businesses are making room for cybersecurity at the boardroom table — instead of requesting the occasional budget presentation or departmental update, enterprises are putting CISOs on equal footing with CIOs, CFOs, and CEOs to help drive business success.
What’s the Job Description?
There’s a seat at the table. CISOs have more autonomy, greater access to resources and the ability to affect corporate policy. But what’s really in the job description?As noted by Tech Target
, CISOs are often tasked with multiple responsibilities. While their primary job is to oversee corporate security, this is no simple task — it typically includes both internal and external security monitoring, infosec of current staff members, hiring new security professionals and creating business-driven IT security plans which meet budget expectations without sacrificing network protection.Specific responsibilities include developing data loss prevention strategies which use a combination of in-house training and technologies such as identity and access management (IAM) solutions to regulate employee privileges and access. In addition, CISOs are responsible for developing risk assessments of current security controls and identifying solutions — such as automation or artificial intelligence tools — to improve overall protection. Finally, CISOs face the unenviable job of ensuring everyone in the organization, from front-line staff to managers and other C-suite members, complies with application, credential, and network security policies.
Who’s Getting Hired?
There’s a growing cybersecurity skills gap in the United States. Rapid technology adoption combined with increasingly sophisticated attack vectors puts security professionals in high demand, prompting many organizations to adopt “new skill” recruitment and hiring approaches. The caveat? CISOs. Here, security expertise and technological fluency are mandatory to deliver positive infosec impact.
So what makes a good CISO?
First, you need the ability to align security deployments with business goals. This means engaging with other C-suite members to determine departmental needs and then implementing solutions that (wherever possible) enable business objectives. Ideal CISOs recognize that there’s no such thing as “perfect” security; instead, they look for best-fit business solutions.C-suite CISOs must also possess top-tier interpersonal and communication skills. This enables them to engage with colleagues, front-line staff and other board members with equal facility and ensures that infosec initiatives align with current pain points — not just hard numbers.
Companies are making room for IT in the boardroom, and CISOs are a top priority.”
Last but absolutely not least? The ability to make technical jargon relevant and understandable to other board members. While most executives now have passing familiarity with cloud technology and security concerns thanks to the increasing use of personal mobile devices, they’re not security experts — and won’t respond well to acronym-filled, technically-complex presentations. CISOs must have the unique ability to design highly sophisticated security solutions and then present them in simple, easy-to-understand language.
How do You Get Started?
Making the transition from IT staff member to CISO starts with experience; companies typically want 7-10 years experience in IT with at least 2-3 years of managerial experience. Training is also critical. This includes intermediate and advanced IT certifications along with successful completion of the CISO course
itself, which attests to your abilities in providing leadership, designing security frameworks and developing new initiatives.It’s also worth looking at current corporate culture: Is there room to move up in your organization, or should you consider a move? Both offer advantages — corporate familiarity makes it easier to build rapport and design around existing systems while changing companies provides a blank slate for security innovation.Bottom line? Companies are making room for IT in the boardroom, and CISOs are a top priority. Plus, check out the new LIVE online training, starting December 2018 with industry veteran Dr. Edward G. Amoroso, CEO of TAG Cyber and former CSO of AT&T. Learn more →