When a data breach happens, the finger always points to the C-suite, be it the CISO, CIO or CEO. And it’s unsurprising – the sheer number of data breaches that can be recalled show that cybersecurity failures can be catastrophic to company finances, careers and reputations.
The role of a CISO is undoubtedly changing. Not only does the role require more responsibility than ever, but the heightened risks associated with the role has put it firmly in the spotlight of both the Board and the industry as a whole.
With data breaches showing no sign of slowing and cyber threats evolving daily, where does the CISO fit in all of this?
Despite the risks, many organizations are investing in someone to specifically deal with the increasingly sophisticated cyber threats, either because they have the right Information Assurance (IA) mindset or because of the increasing pressures around compliance, risk and governance.
However, the role has evolved, leaving behind its traditional responsibilities and core tasks of specifically developing, deploying and maintaining an information security programme. The CISO has morphed into a much more integral role of identifying risk across the entire business and raising awareness to employees of the damage a data breach can cause. Additionally, the role now has a direct reporting line to the Board of Directors rather than a CIO or CTO, extending visibility and accountability.
The essential CISO qualities
Whilst the characteristics can vary from organization to organization, a CISO should at least be diligent, attentive and risk aware. They must be extremely aware of the challenges surrounding not only their own role, but the entire organization. New threats need to be identified and new protocols put in place, all of which needs to be consistently managed and maintained to keep up with the evolving threat landscape.
They must also be an excellent communicator and understand their audience; explaining the threats and solutions to a non-technical Board will not get them very far. Instead, the Board wants to hear about financial implications. Removing tech jargon that really isn’t applicable is also a crucial quality because the Board of directors need to be fully aware that cyber risk now has fiduciary implications and needs to be given the time and attention it deserves.
Change the mindset from the top
The decisions the CISO makes will be vital for ensuring the organization is secure. By thinking about Information Assurance which focuses on securing the data as opposed to the network and by understanding the sensitivity and risk of data compromise, the CISO is able to focus on technology decisions that protect the data itself and not just the network the data runs over; when the network is compromised it is data that is put at risk – and we all know the consequences this can have.
Ultimately, the CISO is in a role of trust and both the Board and organization will look to them to lead the cybersecurity strategy. By adopting this new security posture whereby security is decoupled from the network, the CISO can be seen as the catalyst for change in any organization. Every CISO must understand the risks associated with security and make it a top priority for their Board.
If you are a CISO looking for a new solution to secure your organization, get in touch today to find out how Certes Networks can help you.