Chief Information Security Officers have become increasingly common in recent years due to the changing nature of cyber threats and the growing value of data.
Organisations around the world are regularly embarrassed at best and at worst can be bankrupted by the type of daily breaches that a seasoned security executive could have prevented.
In 2017, startup unicorn Lyft, Fortune 500 retailer Staples, Delta Airlines, one of the world's largest airlines, and government bodies from here to New South Wales, Australia all added a CISO to their ranks for the first time. Each of them had suffered a data breach shortly before the appointments. In the CIO 100 in 2017, 70% of the organisations on the list had a security leader reporting into the CIO function.
Their numbers have grown as their role has evolved, adding business awareness and technical skills to their established grounding in security knowledge. A contemporary CISO advises executives on their organisation's security risks and requirements and sets a strategy designed to minimise them.
A study conducted by the Ponemon Institute found that the appointment of a CISO reduced the cost of a breach by $7 (£5) per record. Salaries for CISOs are "absolutely rising above inflation", according to Harvey Nash director Robert Grimsey.
There are still some organisations that believe they don't need a CISO, but the number is rapidly declining.
Why CISOs matter more than ever in 2018
Gartner predicts that worldwide security spending will reach $96 billion (£71 billion) in 2018, an 8% increase on the figure for 2017. The organisations that get the most value from their expenditure will have a strong understanding of data protection and risk management. A CISO can help ensure that any outlay is money well spent.
"All recent high profile cyber-attack incidents could and should have been prevented with relatively low-cost solutions," Brian Lord, the former GCHQ Deputy Director for Intelligence and Cyber Operations, told CIO UK.
"The reason breaches are growing is because companies aren't protecting themselves properly, because they are being made confused by the cyber security vendors."
The growing threat causing companies to splash their cash on security has been accompanied by increasing public concerns around privacy and the arrival of stricter data protection regulations.
The most notable of these in 2018 will be the introduction of GDPR. Breaches can result in fines of up to £17 million or four percent of global annual turnover, but more than half (54%) of companies still have no plan in place to ensure compliance, according to research by data analytics company SAS. Hiring a CISO would help them reduce the risk.
"Increasingly when a company is breached the pain is felt in the boardroom as organisations are often hit with huge fines, reputational damage and even lawsuits," Bharat Mistry, security strategyist at Trend Micro, told CIO UK.
"This change is leaving executives very concerned; they want assurances that systems are fully secure and they are fully compliant against the regulations they face. Hence as indicated by the research we are now starting to see more CISOs being employed by organisations".
When a CISO is essential
CISOs cannot guarantee security, but are almost certain to improve it. They can set a response plan based on their detailed understanding of the systems used to ensure a structured response to any breaches rather than an emotional reaction that will often require costly repairs.
Some of the sure signs that a CISO is needed include leadership shortcoming in IT skill sets, security breaches, poor coordination between security and business needs and functions.
Appointing a CISO may appear unnecessary while systems seem secure, but waiting until a breach occurs can be disastrous. The role is intended to dictate strategy, an objective that will be hindered if they’re fighting fires from the start.
Not every company is ready to commit to hiring a CISO. Small-to-medium enterprises (SMEs) with more basic requirements for operational security may not yet need a dedicated security executive ready to set security standards and make major organisational changes from day one on the job.
A CISO needs full trust in their ability and freedom to plan independently and act immediately to any incident. They also need direct access to the board, or even a seat alongside the other executives in the organisation.
Read next: First 100 days as a CISO
They are responsible for providing a bridge between executives and engineers and understanding how the business and IT interacts. They must work in partnership with the CIO, rather than as a subordinate, to ensure that the priorities of one don't become secondary to those of the other.
If CISOs don't believe that the organisation is committed to the cyber security cause, the demand for their skills means they can find work somewhere that does.
In a recent survey of cyber security professionals conducted by ESG and the Information Systems Security Association (ISSA), 36% of respondents said that the most common reason for a CISO to change jobs is that the corporate culture doesn't emphasise cybersecurity. Another 34% said CISOs are most likely to leave when they're not an active participant at executive-level.
"Today, many large enterprises operate in silos at organisational, operational, and technological levels," Barclays Group Security Function CIO Elena Kvochko told CIO UK.
"In order to mitigate and remediate security vulnerabilities, recognise patterns, reduce operational gaps, improve collaboration, efficiency and react in real time, CISOs need to enable an integrated end-to-end response."
The different approaches to cybersecurity
The vast majority of companies will prefer to assign the overall responsibility for security to a single formal role, but some with smaller risks and budgets may choose to rely on existing staff members to fulfil the requirements. Even the smallest organisations will be taking a chance, but they may believe that the reward outweighs the risk.
Hiring a CISO requires an investment of time and money and a company-wide commitment to make the role a success.
A safe first step could be to initially hire a director of security to trial his or her security leadership skills before a promotion to the CISO role. It's not an easy transition. Directors of security often prefer to make the move at another company where they can start afresh.
Other organisations may not have the structure, budget or maturity for such an experienced security specialist. An affordable but flawed alternative would be to absorb it into the role of CIO.
A better option may be to hire a virtual CISO, who can work part-time on-site and remotely when required and take on the responsibilities on an interim basis or supervise a less experienced security head.
Some companies may be put off by the high cost and small talent pool, a lack of understanding of the role and concerns of how it fits in with the company hierarchy, but for large organisations, the benefits will almost always outweigh the risks.
Security is too important not to hire a suitable specialist, and the emerging threats too complex to leave the responsibility in the hands of underqualified part-timers.