As cybercrime evolves and becomes an ever-greater threat, so do the measures used to mitigate its impact – including the role of the CISO, who now combines technical nous with business acumen.
Steve Katz is the godfather of the Chief Information Security Officer (CISO). Back in 1994, after Citicorp was hacked by cybercriminals, the powers that be there had a revelation: to develop and implement the necessary strategy and policies that would prevent further attacks, they had to create a new C-level position – someone with the technical know-how required to implement security controls that would prevent further attacks. And so, the CISO was born, after information security guru Steve Katz took the trailblazing position at Citicorp – a role that has had to move with the digital times in the intervening years.
The changing face of the CISO
The early years
While the birth of the CISO was a huge stride forward in the battle against data breaches, its initial remit in those early days tended to be a technical one. To land a gig as a CISO, applicants – who typically hailed from technical positions within corporate companies, law enforcement or the military – had to be proficient in networking and operating systems. And once in place, they rarely interacted with the CEO, who foolishly believed they had much more important things to be concerning themselves with than technology. This rigid approach to information security failed to recognise that it’s a business risk issue, not just a technology issue.
The evolution of the CISO
Since then, the exponential growth of the internet has triggered an explosion in connectivity, providing businesses with new opportunities for customer expansion and product development. However, this reliance on all things digital has come at a cost: the evolution of customer data storage and usage has made them targets for dynamic cyberattacks. This nefarious activity exposes businesses to reputational damage, risk of financial loss, reduction in shareholder value, legal action and potential fines – for example, the Information Commissioner’s Office can issue a financial penalty for failing to report certain types of personal data breaches, as well as not demonstrating appropriate protections are in place to protect personal data as well.
The role of the CISO in this rapidly changing risk landscape is, therefore, more crucial than ever. To keep pace with the growing threat of cybercrime, a gradual shift has taken place – from a traditional technical approach to information security to a more business-focused, risk management mindset. The modern CISO’s ability to monitor, repel and respond to cyber threats, while meeting compliance requirements, is now dependent on soft skills such as communication as much as hands-on technical experience.
Take Steve Katz for example – who is still banging the drum for the CISO – he believes that: “The absolute best CISOs are those who can thoroughly understand security, understand technology but be incredibly adept at regularly meeting with business leadership and the board.”
The CISO is no longer simply a member of the IT function and a compliance monitor; the scope of their role has expanded to include the characteristics of a strategic business leader who integrates at all levels of the organisation. This leadership has become vital, not just from a risk control perspective, but to achieve value creation. They must build digital trust across the business and markets and provide consumers with the protection and privacy they demand by keeping data secure and transactions safe. Crucial to this is their ability to foster a culture of shared cyber risk ownership across the business.
Full-time vs. outsourced CISO
The evolution of the CISO knows no limits. While this dedicated information security professional is a vital layer of protection against the escalating and constantly evolving threat of cybercrime, adding a full-time C-level position to the wage bill might not be sustainable. CISO-as-a-service – also known as a Virtual CISO (vCISO) – solves this dilemma. Yes, a full-time CISO offers consistency, influence and enhanced public perception; however, for many businesses – particularly SMEs – the benefits of outsourcing the CISO function are compelling:
- Cost: experienced information/cybersecurity professionals are highly sought-after individuals, who often command a six-figure C-level salary. Research has revealed that outsourcing CISO services is approximately 30-40 per cent cheaper than hiring a full-time officer – a significant saving for an SME that could be used to implement proactive security controls and build a business-wide cybersecurity culture.
- Knowledge: an experienced vCISO offers a working knowledge of current techniques used to commit, and controls used to mitigate, cybercrime – all of which can be used to establish a proactive security strategy.
- Staff turnover – a recent study found that the average tenure of a full-time CISO is two to four years. Outsourcing the CISO limits this turnover, ensuring a consistent approach to information security that delivers meaningful results.
If you’re interested in learning more about a virtual CISO, click here