Hiring a CISO: The Most Important Decision You'll Make in 2021
Chief Information Security Officer (CISO) is a relatively new role and more and more companies are considering adding the position or increasing the influence of their existing CISO. The urgency stems from an increasing number of reported breaches, many involving hundreds of millions of records and requiring millions and even billions of dollars in fines and damage repair. In fact, CybercrimeSecruityVentures.com estimates that cybercrime will be a $6 trillion business by the end of 2021.
The notion that a CISO is important only in certain industries, like finance and insurance, is now seen as naïve. If your company hasn't already done so, it's time to fill the information security leadership gap. In this white paper we'll share why a robust cybersecurity strategy is essential for every business, why a CISO is a critical part of that strategy, and what you need to know as you develop and implement the strategy and the role.
A word of caution: If you feel your company is too small to afford a CISO or your existing organizational structure doesn’t currently support another C-level role, please do not stop reading. The need is just as urgent: Verizon's 2019 Data Breach Investigations Report found that 58% of cyberattack victims in 2018 were small businesses. Investing in cybersecurity still is essential, but we'll offer alternatives that can protect your business without the enterprise price tag.
As evidenced by the nightly news, trying to implement cybersecurity strategy after a breach or other incident can prove disastrous. A look at the big picture underscores the need to be proactive. Smart systems, artificial intelligence, cloud-bases solutions, the Internet of things -- many are calling it the Industry 4.0 revolution. Data and technology are at the heart of it all, and the digital landscape is expanding exponentially, creating new avenues of growth and revenue. But it also is creating new points of vulnerability for business, and the number and scope of cyberattacks is surging.
More and more business leaders are realizing that cybersecurity is no longer just the purview of IT, but requires a comprehensive strategy that extends to all aspects of the business, from the customer service call center to the board room. The National Association of Corporate Directors' annual Public Company Governance Survey has, for several years, revealed that board members rank cybersecurity as a top concern. In the 2017-2018 report, only 6% of board members agreed with the statement, "I am confident that our company is properly secured against a cyberattack."
An effective cybersecurity strategy is critical, and it needs to address a complex and growing array of risks. You probably have risk management strategies for disasters like fire, earthquake or major power surges -- with cybercrime, the risk can be even greater, as you can see from this list:
Loss of data represents significant financial repercussions. Criminals can make the data simply disappear or they can use it for personal gain, such as insider trading. Using ransomware, they can encrypt your business-critical files and demand payment to release it. Entrepreneur.com points out that intellectual property (IP) is increasingly tied to wealth, and in digital format, IP is vulnerable to cyberattacks.
Exposure of sensitive data is one of the biggest concerns in the high-profile news stories, and for good reason. If criminals have access to login credentials and passwords, routing numbers, credit card numbers, social security numbers, you can imagine the consequences. Even in the absence of bad actors, sensitive data can be exposed if security is lax. This can undermine the confidence of your customers and business partners and hit your bottom line - hard.
A particularly unsettling risk is unauthorized control of physical environments. With increasing use of smart devices and automation, criminals or even terrorists can gain control of manufacturing, communication, transportation and other systems. Thieves could disable alarms and other physical security systems, and terrorists could send a nuclear plant to critical mass, cause trains to crash or power grids to fail, or cause other catastrophes.
Other risks include malware attacks, in the form of viruses, worms, Trojan horses, spyware and other software designed to cause havoc of one form or another. Phishing, in which the criminal poses as a legitimate player in order to access sensitive information, also can put your business at risk.
The consequences of a cyberattack can include damage to brand reputation as well as the reputations of business owners, senior executives and board members. In several high-profile cases, CIOs or CEOs were forced to resign following a major breach at companies like Target, Home Depot, Sony and others.
Another important risk consideration is that fact that few, if any, businesses use technology that is completely isolated. Most likely you use mobile devices, vendor integrations, outsourced services, cloud-based applications and nodes in the growing digital landscape. Even if you just use the Internet and email, you are at risk.
Hiring a CISO: Critical to Cybersecurity Strategy
In spite of the significant risks and evolving threats, many business leaders still consider cybersecurity a function of IT, relegating it to a low-visibility, low-priority status. Instead, a strong cybersecurity strategy should incorporate proactive efforts to raise awareness throughout the company. Adding a CISO helps position cybersecurity as a discipline of global importance to the organization.
While many CISOs still report to a CIO (more on that below), CISOs who report directly to the CEO are uniquely positioned to assert the strategic importance of cybersecurity. With direct access to the C-suite and board members, they can help stakeholders understand the risks in language that each one understands. That will help ensure that cybersecurity strategy is integrated effectively into the overall business strategy, not just tacked on as an afterthought.
The presence of a CISO also helps strengthen confidence among the company's customers and partners. In fact, many CISOs interface with customers, helping to help land and retain business. Product companies, data centers or anyone else that touches another company’s data are now regularly subject to customer scrutiny and the CISO leads the charge. An important reason for this is that a good CISO has unique expertise that even the CIO may not have. In fact, given the aggressive pace of change in the field, it is a full-time job to keep up with the latest threats. For example, one INFOSEC article points out that artificial intelligence represents new vulnerabilities but also new tools to enhance cybersecurity. A CISO brings specialized subject matter expertise as well as the understanding of how that expertise should be applied across the organization.
Size doesn't matter. Really.
According to a Forbes.com blog, cybersecurity is now an essential investment for every company of every size in every industry. Many small business owners choose not to invest in cybersecurity because they assume that they won't be targeted. In fact, that belief is exactly what makes them vulnerable. Small businesses are likely to be less protected, and cybercriminals know this.
In fact, many big-company attacks have taken advantage of information obtained through attacks on small businesses. For example, the 2013 hack of Target's systems was traced to credentials that were stolen from a small HVAC vendor.
Corporate giants like Facebook can weather the cost of a breach, but the lack of a robust cybersecurity strategy can close down small and medium-sized businesses (SMBs). Another Forbes article shares the following statistics: Ransomware attacks in 2017 put nearly 25% of SMBs out of business. Some 60% of SMBs that suspend operations after an attack never reopen.
Industry 4.0 developments allow small businesses to reach much wider audiences, but the FCC says that a business doesn't have to use cloud solutions in order to be vulnerable. As long as you have a website and use email, you need an integrated cybersecurity strategy.
The Stakes are High
Companies bring on a CISO for a number of reasons, including a security breach, the recommendation of an audit group or Board of Directors or increased concern on the art of business customers and/or consumers. Basically, it's just good business, considering what's at stake.
Facebook, unfortunately, is an example of the scope and cost of breaches. In 2019, more than 540 million records about Facebook users were exposed by two third-party app developers, according the CBSNews.com.
Interestingly, in 2018 Facebook's CISO, Alex Stamos, left the company and Facebook chose not to replace Stamos, leaving the CISO spot empty. Instead, according to ZDNet, they distributed responsibility for security in a decentralized model in which security professionals are embedded in different divisions.
It's impossible to say that the 2019 breach wouldn't have occurred if Facebook had a CISO, and there's merit in distributing responsibility -- it could help ensure that information security awareness is infused into all aspects of a company's operations. At the same time, organizations need a single leader with a global view. Facebook stated that these app developers violated their policy against storing information in public databases. A CISO might have identified and mitigated these risks by ensuring careful oversight of the developers' practices.
Incidentally, for those who hear "cyber security" and immediately think "hackers," this case is insightful. The cyber security ecosystem is complex, and there are multiple internal and external points of vulnerability.
The costs of this breach are yet to be determined, but they can be substantial. For example, according to endgaget.com, the Federal Trade Commission levied a fine of $5 billion (no typo there -- billion, with a B) fine on Facebook in the wake of the Cambridge Analytical data breach, which first came to light in 2015. The settlement also stipulates that a new independent privacy committee will oversee Facebook's cybersecurity program.
Poor security can also substantially reduce the value of a company. In 2017, for example, Verizon acquired Yahoo!, but after due diligence assessments of two data breaches suffered by Yahoo!, reduced their initial offer by $925 billion. According to CNBC.com, they eventually settled on a $350 million price reduction.
Clarifying your Needs
Companies often feel the need to hire CISO in the wake of a security disaster, but this decision should be made with a cool head, not with hair on fire. Whatever the situation, you want to create a new CISO position based on the big picture, including company mission and strategy. Ideally you'll bring your new CISO on before any incidents, so that she or he can help prevent them.
The best advice in clarifying needs will be necessarily vague, as needs will vary from company to company. If your organization interfaces extensively with partners and vendors, for example, you'll want a CISO with strong knowledge of technologies like data integration and open application program interfaces (APIs). If you are an online retailer handling a high number of credit card transactions, your CISO should be familiar with Payment Card Industry Data Security Standards (PCI DSS).
You know your organization's strategic goals, but keep in mind that you may not know what you don't know about cybersecurity. The fact that you feel a need to make this hire means that some parts of what a CISO brings is missing on your team. You may want to engage an industry consultant to help you define the role so that the job description and candidate profile are thorough and yet tailored to your needs and company culture.
In addition, engaging cybersecurity talent presents an even greater challenge than recruiting for other IT roles. Professionals in this field maintain a low profile and, with a demand for talent that far outstrips the supply, hiring can be challenging. A good consultant will have industry contacts and trust-based relationships developed over time, along with the knowledge of what will motivate your ideal security leader to join your team.
Another thing to keep in mind is the complexity of cybersecurity. If it were just about firewalls, your current IT team could handle it. Instead, consider the many facets, including physical security, secure development, vendor application security and insider threats, among the myriad concerns. Don't think of it as a specialized focus, but as a broad discipline that impacts all functional areas of your business.
Defining the Role
Once you have a good understanding of your needs, the next step is to outline the new position. A quick sketch will give you some idea of the role and qualifications. Stephan Katz, considered the first CISO, helped Citigroup implement security programs in the wake of hacking attacks in the mid-90s. In an interview with CNBC, he said that the CISO's job includes architecture, operations, intelligence and risk assessment, data loss and fraud prevention, identity and access management, security program management, investigations and forensics, and governance.
If you run a government agency or your company is a federal contractor, your new CISO should have strong knowledge of the additional responsibilities this entails. For agencies that means candidates should be familiar with the Federal Information Security Modernization Act of 2002 (FISMA). For contractors, they should have a copy of the relevant National Institute of Standards and Technology (NIST) guidelines in their back pocket.
A bachelor's degree in Computer Science or Information Technology is a pretty strong preference, although the right experience might trump education. Many schools now offer cybersecurity degrees from the associate's to master's level. A strong candidate will have at least ten years of experience in information security, including leadership roles.
Technically, they should have an understanding of networking and communication; security-related hardware, software and firmware; IT infrastructure; operating systems as well as application software; mobile systems; secure practices in coding; risk assessment experience; and regulatory compliance.
They should understand that they are protecting not only the company's information, but also that of customers and partners. To fulfill their risk management mandate, they will need to be able to transition back and forth between the roles of team player and objective observer.
CISOs and CIOs
The objective observer element is part of an ongoing industry conversation about the difference between a CISO and a CIO. As you bring on a new CISO, it's a good idea to understand where the two roles overlap and where they are distinct. At the risk of oversimplifying things, they both manage and protect information, but from different points of view.
The CIO owns the technology solutions that expedite business operations, ensuring that the technology is up-to-date and functions well. The CISO manages information security, including identifying potential risks and anticipating future ones. Both roles have to understand the balance between business objectives and risk exposure, but the CIO is likely to lean more toward the former and the CISO more toward the latter.
KJlogix.com reports that more than half of all CISOs report directly to the CIO. However, based on a survey of 250 security leaders, Kaspersky Daily recommends a structure in which the CISO and CIO are peers and both report to the CEO. That promotes the CISO's independence from CIO influence, which helps eliminate conflicts of interest, and also recognizes that information security is not just an adjunct to IT, but a critical function. For example, with a mission of facilitating business objectives, a CIO wants to promote high accessibility. For the CISO, however, this can raise red flags.
Just as important as delineating responsibilities is ensuring a positive and collaborative relationship between the two. In certain circumstances, this relationship can be adversarial. However, a CEO and Board of Directors that values both roles independently does themselves, stakeholders and the overall organization a service.
SecurityRoundtable.org argues that a good relationship is a collaborative one in which both recognize their common ground, embrace overall business objectives, and respect one another's unique role. The right amount of dynamic tension between the two can be healthy, as long as they communicate frequently, openly and honestly, and have support from other senior leaders.
If you run a small or medium business and the CISO role is either intimidating or inappropriate, consider bringing on a Security Architect to ensure in-house subject matter expertise in both security engineering and security strategy. You might even have someone already on the team with the right qualifications or a senior engineer that is ready to grow into a larger role. Either way, the key is to give this role enough autonomy and authority to act as an independent voice when necessary. That means the individual will need the assertiveness to stand their ground and will need the support from the Executive Team to do so.
Last but not least, here are some things to keep in mind during the recruiting process, whatever the size of your business. First of all, your organization needs to be on board with a big change. Company executives and even the Board should be prepared to welcome the CISO to the table and support the changes he or she is likely to recommend.
In addition, a good candidate should: Have solid business acumen. Darrell Keeling, CISO at Land's End, says, “Today security is a real business enabler, and proves to be a competitive advantage.” A candidate should be able to cite examples of real situations demonstrating their ability to align business needs and security.
Be able to communicate effectively with non-technical people. Ask for examples of situations in which they had to translate technical jargon around a risk scenario into business language.
Bring the interpersonal skills, emotional intelligence and organizational savvy to interact effectively with people at all levels in all departments. Have they worked directly with users as part of assessing risk? Are they able to manage the expectations of the C-suite and board?
Have a track record of success in planning significant changes, leading execution of the plan, and ensuring ongoing success. The last piece involves fine-tuning the technology and processes, but maybe even more important is the culture aspect, so see the next point . . .
Be able to embed cybersecurity into your company's culture. Stephen Katz points out that people are the key elements in the security ecosystem. In the Citigroup attack, the breach was first noticed by employees reviewing green-stripe printouts, who spotted and reported anomalies. Can your candidate share a similar story?
Be passionate about keeping pace with changes in technology and anticipating risks in order to help the company stay one step ahead. Do they attend industry events? Are they active members in relevant professional organizations?
According to Wired.com, Facebook CEO Mark Zuckerberg has called cybersecurity an "arms race." It requires full-time vigilance from a dedicated leader who understands the complexity involved. Finding that leader won't be easy, but it may be the most important decision you'll make in 2021.