The role of the chief information security officer has come a long way since the early days of the cybersecurity industry. As the value of sensitive data has grown – to organizations and cybercriminals alike – so has the position of CISO, in a way barely even imagined a decade ago. Firms like Target, JPMorgan and Sony have all found out to their cost what can happen when there’s no strong leadership in security and risk management.
Yet, given continued skills shortage in the industry, the problem for firms is finding the right person to fit the job. To give you a little helping hand, Trend Micro has come up with a short checklist of key attributes all organizations should be looking for in their first, or next, CISO.
Back in time
We’ve certainly come a long way. Back in the early days of the industry, so-called information security officers mainly dealt with hands-on tactical issues like tweaking firewalls, regulating access controls and applying AV. It certainly was not a board room position and frequently didn’t even report into the CIO, with little opportunity to affect any organizational change.
Today, things have transformed almost beyond comprehension. With organizations’ data at risk from a highly motivated, well-resourced and disparate set of agile cyber adversaries, the stakes have been raised to the max. Breaches cost millions of dollars on average in clean-up, fines and potential lost revenue. Leaked IP and other sensitive data could also cost a firm dearly in lost competitive advantage.
In short, the CISO now frequently has the ear of the CEO as a vital member of the organization, spanning IT, business continuity, legal, facilities and compliance – to name but a few. It’s a highly strategic role which has the power to set the tone and vision for information security investments and roadmaps.
Where are they?
The only problem is that CISOs are in high demand today. With skills shortages continuing to plague the industry, employers are finding it tough to lure the right talent with that much-needed blend of technical ability and business sense.
If you have been breached or fear a major compromise like Sony or Target, hiring a CISO is not a silver bullet. The person who fills that role will only be successful if they are given enough budget and resources, and if the organizational culture is relatively sympathetic to their strategic aims.
Key skills checklist
That said, there are several things to look for in prospective candidates that could help to narrow the shortlist down. Your CISO must be able to:
- Understand the business
- Possess key business skills including risk management and governance
- Communicate with the board in a language they understand
- Understand contracts and their security implications, i.e., with cloud service providers, outsourcers, etc. They need to find security issues during the negotiation process and point them out to key stakeholders such as the legal department
- Identify new and emerging threats and the technologies to deal with them; like Trend Micro’s APT-hunter tool Deep Discovery, Deep Security and the Smart Protection Suites
- Show leadership – be proactive in planning information security projects and have a clear vision for the department