The role of the CISO and the challenges it brings

If there was ever any doubt that the role of Chief Information Security Officer (CISO) was an important one then these questions should have been resolved over recent months. A combination of data-related scandals and the introduction of GDPR should hopefully have convinced all concerned that the role of CISO is one of the most important positions in an organisation and, as such, merits the same degree of attention as you would take to hiring and positioning any other senior member of staff.

With a bright new year now upon us, now seems like an appropriate time to review the role of the CISO and the challenges facing it today and in the future.

Everything starts with the right hire and, for many years, the CISO has usually been hired from the ranks of IT professionals. There is still a lot to be said for this approach. After all, a lot of data protection really means keeping it safe from cyber attacks.

Having said that, there is also a case for opening up hiring criteria to make it easier to hire candidates from other business areas such as risk, data management, legal and even finance. People from other areas would certainly need to have a rock-solid understanding of IT, even if it wasn’t their core competency, but assuming this was in place, hiring someone from outside the standard talent pool could bring something new to the table.

At the present time, data suggests that the majority of organisations have CISO reporting to the Chief Information Officer. This makes perfect sense given the traditional view of Information Security as being an IT niche and it can work very well, especially if your main concern is to have a 100% watertight IT security system.

The problem with this approach is that it can become only too easy to slip into the attitude that information security is nothing but IT security and this is simply not the case. Of course, there is a lot of cross-over, but successful information security requires a much more holistic approach to protecting data and, in particular, a recognition that it is often humans, not computers, who are most vulnerable to attack.

Because of this, it may be more appropriate to put another reporting structure in place, such as having the CISO report to risk or legal or even directly to the CEO or board.

When it comes to information security, the best hires in the world cannot work completely alone and, the more support they get from their colleagues, especially their senior colleagues, the more effective they are likely to be able to be.

It is vital that senior managers themselves not only practice what they preach but are clearly seen to be doing so by everyone in the organisation. So perhaps the most important lesson to take into 2019 is that even though having the right CISO and the right organisational structure are both important, ultimately, everyone in the organisation has to play their part in keeping data secure.

When a CISO reports to the IT department, which is commonly the case, there is a risk of a conflict of interest arising. The IT department – and the CIO – have the responsibility to keep the tech working at the touch of a button, whereas the CISO may find herself needing to cut that off to address security breaches. The CIO or head of IT has the ultimate say and can refuse to take action if that will hinder the progress of the technologies that people are expecting to work effectively.

If a CIO is at risk of not taking a CISO’s advice seriously, then the security of the firm is at risk and the CISO is in an impossible position. If instead, the CISO is positioned so that they report to the Legal Department or the Head of Security or Risk at a business, they can fulfil their role more effectively without the risk of clashes that could risk an organisation’s online security.