As the nature of cyber threats evolve and their volume multiplies, Chief Information Security Officers (CISOs) have become an increasingly common fixture of the business landscape. Companies handling sensitive data are at risk of embarrassing data leaks, compromising the security and confidentiality of their clients and costing them financially and in terms of reputation.
A seasoned security professional dedicated to a company's cybersecurity means these types of attacks could be better mitigated against, explaining why a growing number of companies are looking to bring a CISO on board.
In 2017, startup unicorn Lyft, Fortune 500 retailer Staples, Delta Airlines and government bodies from the UK to New South Wales, Australia all added a CISO to their ranks for the first time after suffering a data breach shortly before. In the 2017 CIO 100, 70% of the organisations on the list had a security leader reporting into the CIO function.
Their numbers have grown as the role has evolved, layering business awareness and technical skills on top of a strong foundation of security expertise. Today, CISOs advise executives on their organisation's security risks and requirements and set a strategy designed to minimise them.
"Security isn't purely focused on technology, and the role of the CISO is not solely a technical one," Trainline Security Director Mieke Kooij told CIO UK. "Security is about creating a culture where information and systems are protected by shifting how people interact with them. Where possible we use technology and automation to do this, but ultimately, it's about gaining consumer trust, winning hearts and minds and changing behaviour."
A study conducted by the Ponemon Institute found that the appointment of a CISO reduced the cost of a breach by $7 (£5) per record. And in reflection to this added value, salaries for CISOs are "absolutely rising above inflation" according to Harvey Nash director Robert Grimsey.
While some organisations still believe they don't need a CISO, that number is rapidly in decline.
Why CISOs matter more than ever in 2018
Gartner predicts that the global spend on security will top $96 billion (£71 billion) in 2018, an 8% increase on the sum for 2017. And the organisations that extract the most value from their expenditure will have a strong understanding of data protection and risk management. A CISO can help ensure that a company's security budget is effectively spent.
"All recent high-profile cyber-attack incidents could and should have been prevented with relatively low-cost solutions," Brian Lord, the former GCHQ Deputy Director for Intelligence and Cyber Operations, told CIO UK.
"The reason breaches are growing is because companies aren't protecting themselves properly, because they are being made confused by the cyber security vendors."
Increasing public concerns about privacy and the arrival of stricter data protection regulations such as GDPR - where breaches can result in fines of up to £17 million - have also influenced rising cybersecurity budgets.
"Increasingly, when a company is breached the pain is felt in the boardroom as organisations are often hit with huge fines, reputational damage and even lawsuits," Bharat Mistry, security strategist at Trend Micro, told CIO UK.
"This change is leaving executives very concerned; they want assurances that systems are fully secure and they are fully compliant against the regulations they face. Hence as indicated by the research we are now starting to see more CISOs being employed by organisations."
When a CISO is essential
CISOs cannot guarantee security, but they can improve it. Among the ways of mitigating the effects of security breaches include developing a response plan based upon the CISO's expert understanding of security systems.
Some of the sure signs that a CISO is needed include leadership shortcoming in IT skill sets, security breaches and poor coordination between security and business needs.
Appointing a CISO may appear unnecessary while systems seem secure, but waiting until a breach occurs could be disastrous. A preventative rather than reactive approach to security issues is by far more sensible. The role is structured to dictate security strategy, an objective that will be hindered if they’re fighting fires from the start.
Not every company is ready to commit to hiring a CISO. For example, small-to-medium enterprises (SMEs) with more basic requirements for operational security may not yet need a dedicated security executive ready to set security standards and make major organisational changes.
A CISO needs full trust in their ability and freedom to plan independently and react immediately to any incident. They also need direct access to the board, or even a seat alongside other C-level executives.
Read next: First 100 days as a CISO
They are responsible for providing a bridge between executives and engineers and understanding how business strategy and IT aims interact. They must work in partnership with the CIO, rather than as a subordinate, to ensure that the priorities of one don't become secondary to those of the other.
In a recent survey of cyber security professionals conducted by ESG and the Information Systems Security Association (ISSA), 36% of respondents said that the most common reason for a CISO to change jobs is that the corporate culture doesn't emphasise cybersecurity. Another 34% said CISOs are most likely to leave when they're not an active participant at the executive level.
"Today, many large enterprises operate in silos at organisational, operational, and technological levels," Barclays Group Security Function CIO Elena Kvochko told CIO UK.
"In order to mitigate and remediate security vulnerabilities, recognise patterns, reduce operational gaps, improve collaboration, efficiency and react in real time, CISOs need to enable an integrated end-to-end response."
Different approaches to cybersecurity
The vast majority of companies will prefer to assign the overall responsibility for security to a single formal role, but some with smaller risks and budgets may choose to rely on existing staff members to fulfil the requirements.
Hiring a CISO requires an investment of time and money and a company-wide commitment to make the role a success. In some cases, the CISO can lead a transformation of company culture surrounding cybersecuriy. Richard Orme, CTO of the Photobox Group, told CIO UK that when the firm hired a CISO, security was often a tick-box exercise following the development of a new service or product.
"So we went out and hired a guy called Dinis Cruz, who's our CISO, who is an active member in the security community right now," said Orme. "He hosts a lot of meetups, he's regarded as a thought leader in this space. We sort of gave him a blank piece of paper, and said, "Okay. If you were going to take a look of everything we do, how should we rethink the way we do security?
"It's not so much a question of, what tools can we buy to help us? It's, how do we change as an organisation? How do we change our culture? That's where our CISO, has been very strong. He'll sit with the engineering teams and educate them, and he'll create challenges for them. He'll commit code with them. So he really talks their language, and they respond to that massively. Instead of seeing security as something that they have to do, they now see it as an interesting problem to solve."
Other organisations may not have the structure, budget or maturity for such an experienced security specialist. An affordable but flawed alternative would be to absorb it into the role of CIO.
While a better option may be to hire a virtual CISO, who can work part-time on-site and remotely when required and take on the responsibilities on an interim basis or supervise a less experienced security head.
A safe first step for companies planning to bring a CISO on board could be to initially hire a director of security to trial his or her security leadership skills before being promoted to the CISO role.
Some companies may be put off by the high cost and small talent pool, a lack of understanding of the role and concerns of how it fits in with the company hierarchy, but for large organisations, the benefits will almost always outweigh the risks.
Security is too important not to hire a suitable specialist, and the emerging threats too complex to leave the responsibility in the hands of underqualified part-timers.