The coronavirus may mean the end of the open office plan, in-person conferences, and handshakes, and the addition of the chief information security officer (CISO) to more executive teams.
Bitglass researched Fortune 500 companies and found that many organizations lack an authentic and lasting commitment to cybersecurity. The good news is that 62% of companies have a CISO, but only 4% listed the role on its leadership page. Also 77% had no information on their websites about who is responsible for security strategy.
As data breaches continue at an ever faster pace, it’s easier for CEOs to understand that security is not just a cost center but a necessity to protect a business’s reputation. Retired Air Force Brigadier General Greg Touhill said more and more organizations are realizing that the CISO and his or her team are crucial to mission success.
“A failure by the cybersecurity team could be an existential disaster,” he said.
Touhill was the first federal chief information security officer of the US government. He is currently president of AppGate Federal, a security firm that works with government agencies to modernize networks and security strategies.
Ellen Benaim, the CISO at Templafy, a Saas company that provides template management for Microsoft Office and Google suite users, said that the current work-from-home conditions are similar to how CISOs operate in normal times in terms of being agile and adaptable and taking action without having all the information needed immediately available.
“The CISO role has had to adapt to face the challenges of everyone working from home and be prepared when hackers are still developing new things to exploit,” she said.
Bitglass also studied the impact of data breaches on publicly traded companies and found that these breaches have cost companies an average of $347 million in legal fees, penalties, remediation costs, and other expenses and a 7.5% decrease in stock price.
If your company doesn’t have a CISO, this advice from three security experts can help make the case for adding this role to the executive team.
Why companies need a CISO
At Templafy, Benaim took over the CISO job from the co-founder of the company.
“If your business is in any way involved with processing information for another person, it’s very important to have someone looking out for security and privacy as well,” said Benaim, who reports directly to the chairman of the board, and works with
Templafy’s board of directors to describe the threat landscape the company faces and to communicate that in a way that is understandable to a non-technical audience.
SEE: Network security policy (TechRepublic Premium)
Sue Bergamo has two roles at global ecommerce company Episerver: CISO and CIO. She said the two roles go hand in hand.
“As CIO, taking care of the back office always has a security component to it and from a CISO standpoint, the enterprise must be a constant focus,” she said. “At the end of the day, prioritization is paramount with security and customers in first place.”
SEE: Cybersecurity countermeasures glossary (TechRepublic Premium)
Bergamo said that she often meets with customers to answer questions about the company’s security program and attends customer and partner events as often as possible. As third-parties are often the source of data breaches, it’s even more important for vendors to build trusted relationships with customers, she said.
Before adding a CISO to the executive team, Beniam recommended that companies conduct an internal assessment of the maturity level of current security practices as well as the most important business goals.
Joining the executive team
For a CISO to be the most effective, he or she should be on the executive team. Touhill said that many first-time CISOs are disappointed to find that they do not have a seat at the executive table or even report to the CEO.
Touhill listed several key signs that an organization views a CISO as a mission-critical role. First, the CISO should report directly to the CEO, and the CEO should publicly designate the CISO as a member of the senior executive team.
Next, the CISO should provide regular reports to the corporate board on a regular basis.
“If the board is not regularly getting reports and interacting with the CISO, that is a sign that the CISO is not considered an essential member of the executive team,” Touhill said.
SEE: Information security policy (TechRepublic Premium)
Finally, CISOs need the authority to create, monitor, and enforce cybersecurity policy.
“Successful CISOs know they operate as part of a team and ensure they continually coordinate among all business lines and staff elements to ensure cybersecurity policies are linked to the enterprise strategic goals and objectives and are viewed as enhancing the organization rather than hindering it,” he said.
SEE: Malware Response Checklist (TechRepublic Premium)
Touhill said successful CISOs often spend more time with their line of business peers than they do with their direct reports.
“They serve as cybersecurity ambassadors across the organization; as strategic advisors guiding policy, processes, and technologies to better secure the organization; and as a technology senior leader, taking active measures to lead the current and future generations of technology personnel in the organization and community,” he said.
SEE: Security Awareness and Training policy (TechRepublic Premium)
Another key still is the ability to understand privacy frameworks, including GDPR, ISO-27001, and CCPA and then interpret how those rules apply to a particular company.
“You have to see what they say at the level of best practices and then apply those frameworks in a way that is efficient and supports the goals of your company,” Beniam said.