The role of Chief Information Security Officer (CISO) has grown in prominence in recent years due to a series of high-profile hacks and leaks and the changing nature of cyber threats.
Organisations around the world are being embarrassed at best and at worst can be bankrupted by the type of daily breaches that a seasoned security executive could have prevented. The threats themselves are immensely varied, as are the actors behind them, ranging from nation states and criminal gangs to teenage hackers.
The role has also evolved immensely, adding business awareness and technical skills to their established grounding in security knowledge. A CISO advises executives on their organisation's security risks and requirements and sets a strategy designed to minimise them.
A study conducted by the Ponemon Institute in 2016 found that the appointment of a CISO reduced the cost of a breach by $7 (£6) per record. Salaries for CISOs are "absolutely rising above inflation", according to Harvey Nash director Robert Grimsey, as companies across the country search for individuals with the right combination of security expertise and leadership skills to set the cybersecurity vision for an organisation and then ensure that it’s made a reality.
Despite their growing prevalence, not everyone agrees that CISO is essential at every organisation. Only 49% of companies currently employ a CSO or CISO, according to Cybrary’s 2016 Cyber Security Job Trends Report.
Does your organisation need a CISO?: Changing times
A CISO will not guarantee security, but they are almost certain to improve it. They can set a response plan based on their detailed understanding of the systems used to ensure a structured response is taken to any breaches rather than an emotional reaction that will often require costly repairs.
Some of the sure signs that a CISO is needed include leadership shortcoming in IT skill sets, security breaches, poor coordination between security and business needs and functions.
Appointing a CISO may appear unnecessary while systems seem secure, but waiting until a breach occurs can be disastrous. The role is intended to dictate strategy, an objective that will be hindered if they’re fighting fires from the start.
Read next: First 100 days as a CISO
Not every company is ready to commit to hiring a CISO. Small-to-medium enterprises (SMEs) with more basic requirements for operational security may not yet need a dedicated security executive ready to set security standards and make major organisational changes from day one on the job.
A CISO needs full trust in their ability and freedom to plan independently and act immediately to any incident. They also need direct access to the board, or even a seat alongside the other executives in the organisation.
They are responsible for providing a bridge between executives and engineers and understanding how the business and IT interacts. They must work in partnership with the CIO, rather than as a subordinate, to ensure that the priorities of one are not made secondary to those of the other.
Does your organisation need a CISO?: Timing is everything
Assigning the overall responsibility for security to a single formal role is preferable for the vast majority of companies, but some companies with smaller risks and budgets are prepared to do without and rely on existing staff members to fulfil their requirements. Even the smallest organisations will be taking a chance, but they may believe that the risk outweighs the reward.
Hiring a CISO requires an investment of time and money and a wholehearted commitment from the entire organisation to make the role a success. The company must be prepared to meet certain requirements first.
A safe first step could be hiring a director of security first to trial their security leadership skills before deciding whether they can move on to the CISO role. It’s not an easy transition, and directors of security often prefer to make the move at another company where they can start afresh.
The organisation may not have the structure or maturity for such an experienced security specialist, and could struggle to justify the considerable expense. An alternative, albeit one with major drawbacks as mentioned above, would be to absorb it into the role of CIO.
A better option may be to hire a virtual CISO, who can work part-time on-site and remotely when required, to take on the responsibilities on an interim basis or supervise a less experienced security head.
Companies may be put off by the high cost and small talent pool, a lack of understanding of the role and concerns of how it fits in with the company hierarchy, but for large organisations, the benefits will almost always outweigh the benefits.
Security is too important not to hire a CISO, and the emerging threats too complex to leave the responsibility in the hands of people who aren't wholly dedicated to protecting the business from the dangers.