In the business world, it’s common to hear of discussions taking place at the “C-Suite Level,” which usually includes the chief executive officer (CEO), chief financial officer (CFO), the chief operating officer (COO), and the chief information officer (CIO). More cyber professionals are taking on roles at this level as well, as chief technology officers (CTOs), and security executives can offer their leadership as chief security officers (CSOs).
A newer designation merges the duties of the CIO and the CSO, into the chief information security officer (CISO). As Forbes reporter Christie Terrill writes, “If you are a small to medium-sized company without dedicated security leadership, you’re probably wondering when the right time is to hire your first … CISO.
“Companies sometimes bring in a Director of Security with the hope that they will eventually transition into a higher CISO level leadership role. Hiring a director is like dipping your toe into the water of security leadership. The primary distinction between a director and CISO is that directors are frequently more hands-on in driving the day-to-day programs and activities, whereas CISOs are typically the interface for security with department heads, executives and the board. The CISO sets the cybersecurity vision and unblocks any political pitfalls that prevent the senior team members from executing that vision.
“Hiring a CISO is a critical decision. Most importantly, you don’t want to wait until security is broken and a major breach has occurred. For example, Target brought their very first CISO aboard several months after their 2013 breach. Your new CISO’s job will be much more challenging if there are already multiple hires in various security positions who are plagued with perceptions like not working well with the business, not proving their value or are being held responsible for an insecure product repeatedly exploited in simulated or live attacks.”
Terrill notes five key assessments to tell if your company should hire a CISO:
“Total Access. It’s time for a full-time dedicated CISO when your company is prepared to give cybersecurity a seat at the table with other executives.
“Out of the Weeds. Do you see security as strictly an operational, tools-based area of expertise? Do you think your CISO should be reviewing firewall rules or looking at code for vulnerabilities? If yes, a true CISO probably remains several years in your future.
“Independence Day is Every Day. A CISO needs to independently represent security’s needs, goals and vision for the organization and not be buried too deep into an operational capacity.
“Safety Net Required. When your company no longer has the risk appetite to let someone learn through trial-by-fire on your dime, it’s clearly appropriate for a seasoned security executive to join your team.
“Shake ‘Em Up. A CISO will undoubtedly shake up the way the organization behaves on micro and macro scales.
“Not every organization is ready for the investment and commitment that having a CISO requires. But if your company is, choose the skills, background and qualities in your candidate wisely. You need someone with demonstrated success moving organizations from immature to stable security postures. As a leader, a CISO will have weathered multiple scenarios, security incidents and budget cuts at other organizations. They will complement your team with a dossier of real-world experience to draw from and an understanding of applied—not theoretical—best practices.”