A Chief Information Security Officer (CISO) is responsible for designing cybersecurity strategies used to protect corporate data and assess risk across the organisation to improve on its cyber-defences. CISOs will design a security program, create disaster recovery plans, and educate users, executives, founders, and administrators on cybersecurity best practices.
What Does a CISO Do?
Just like a CIO (Chief Information Officer) is in charge of a team of system administrators, a CISO oversees a team of security professionals. Not every corporation can afford a large security team, so a CISO is present usually in large enterprise businesses. Small businesses can contract a CISO to help them build a security program, usually using a virtual CISO.
Because a CISO is a leader within your organisation, they also continue to monitor the cybersecurity landscape to instruct the security team on the next best course of action to protect data. The CISO makes recommendations based on the latest cybersecurity research to upgrade infrastructure and provide planning for new security tools to stop new threats.
Should a cyber-incident occur, the CISO might be the authorised person to begin disaster recovery and direct the security team how to proceed. The CISO also has a hand in designing and implementing the disaster recovery plan, so that it’s effective for incident response and limits downtime to ensure that money loss and damage are minimised.
How Important Is the Role of CISO?
With no security team and a leader to evaluate your organisation's security, your business becomes a target for hackers, threat actors, and so on. The organisation is even more vulnerable to random scripted attacks that aren’t even specifically designed to compromise your systems. Scripts run internet-wide scans on websites to find common vulnerabilities and often automatically exploit them. Whether it’s automated internet-wide vulnerabilities or a sophisticated attack targeted toward your business, a CISO finds ways to stop them.
The role of the CISO often falls under the larger umbrella of IT and operations. The security team works with both development and operations people to find better ways to improve data security. A CISO will lead the security team, but developers work with the security team to find vulnerabilities in corporate software and instruct them on how to write secure code. Operations people benefit from a CISO and the security team by installing infrastructure that protects data. Infrastructure could be in the cloud or on-premises.
Usually, a CIO (Chief Information Officer) and CISO work together to design corporate infrastructure. The CIO oversees the design of networking infrastructure, and the CISO works with the CIO to integrate security infrastructures such as firewalls, patch management, backups, data access controls, monitoring, intrusion detection and prevention, user identity management, and workstation antivirus rollouts. The role of a CIO is to enable user productivity, and the CISO must ensure that users follow the right security best practices to protect corporate information.
What Makes a Great CISO?
Because a CISO is a leader, the role requires someone with good management skills. In addition to working with people well, the CISO must also be good with budgeting and planning. Anything the CISO does should be in the best interest of the organisation, so planning and security training should be specific to business needs.
Aligning security goals with corporate financial and productivity goals is the primary responsibility of the CISO. A good CISO will work with all stakeholders to ensure that security does not interfere with employee productivity but keeps them from accidentally exposing sensitive data.
A good CISO needs good leadership skills and a long history of cybersecurity and hacking. Some CISOs contribute to whitehat hacking penetration testing and research into dark web activity to keep themselves educated on the latest threats and vulnerabilities in the wild. Because the CISO is responsible for planning and design, the CISO must be able to clearly communicate what is needed to improve security and reduce risks. A CISO also designs plans for security awareness training programs to help employees recognise phishing email messages, malware, social engineering, and insecure activities.
Good cybersecurity spans the entire organisation and must be a company-wide effort. An organisation's CISO coordinates efforts to train and implement cybersecurity policies. Security teams distribute policies via email, employee handbooks, intranet sites, or internal courses. It’s a large undertaking to coordinate cybersecurity efforts, so a good CISO has the ability to manage people and resources to roll out effective policies.
Just like other areas in information security, the CISO never stops learning, researching, and using educational resources to understand the latest threats. New threats are deployed every day, and it’s a CISO’s responsibility to stay educated on threats. New vulnerabilities are also discovered daily, so it’s the CISO’s responsibility to identify vulnerable software from the latest reports and quickly find ways to patch infrastructure.
Every business has its own strategy for information security and the right person to lead efforts. The role of a CISO is not clearly defined. Other than leading cybersecurity efforts, the CISO must be able to fit into organisational culture and follow best practices for cybersecurity deployment and risk management.
Passion for cybersecurity is often the key identifier of someone who will be a long-term investment for an organisation. The CISO could be hired from within as employees climb the corporate ladder, but a good CISO could also be found externally. The CISO should be familiar with normal business practices to slip easily into the role of a leader. It helps the business when the CISO understands IT budgets and how to fund infrastructure while setting priorities.
The two main frameworks defined as best practices are NIST and ISO. When a new CISO joins the team, a review of current practices, benchmarks, risk assessments, and other business processes will be done. They will need the skills to examine current practices and build a plan to improve them.
Most businesses have embraced an at-home workforce, so a CISO should also understand the cloud and cybersecurity surrounding cloud infrastructure. Cloud migration and integration into on-premises infrastructure are common in today’s computing environments. The CISO must be able to direct operations people and developers on the best ways to leverage the cloud to make employees more productive.
Why Hire a CISO
You don’t know what cybersecurity infrastructure you need if you don’t know the number of risks within the environment. A CISO performs risk assessment to find vulnerabilities and weaknesses across the network. In most small organisations, several vulnerabilities exist without anyone being aware of the risks. The CISO identifies risks and creates strategies to remediate them.
The main reason to hire a CISO is to leverage their knowledge so that the CISO can create a plan and design a cybersecurity strategy to reduce risks. The other reason a CISO is beneficial is that you can bring your organisation compliance. If your organisation must follow specific compliance guidelines and your environment is not compliant, it can cost millions after a data breach.
Saving money and preserving your brand’s reputation are two main reasons for hiring a CISO. A data breach can cost millions in litigation, brand damage, downtime, lost revenue, and customer loyalty. The long-term effects of a data breach can last years, and it bankrupts some small companies. A CISO protects the organisation from revenue-impacting data breaches and keeps your organisation compliant with regulatory requirements.
The Future of the CISO
Being in the cybersecurity field requires anyone to adapt to a changing and evolving landscape. New threats are introduced every day, and many of them target businesses. CISOs deal with new threats, but the CISO of the future must also understand how to protect the newest technologies. Artificial intelligence (AI), Metaverse, social media, quantum computing, and many other future technologies.
Most standards suggest that the best cybersecurity environments use a zero-trust strategy. A CISO must know zero-trust standards and know how to implement them in any environment. Adopting a new strategy might be difficult for an organisation with older technology, therefore the CISO must be able to lead the organisation into a new framework with as little downtime as possible.
Virtual CISOs are also popular with corporations that do not want to hire a full-time executive but need a cybersecurity leader. A virtual CISO (vCISO) performs all the same functions as a standard CISO, but a vCISO works when the organisation needs help rather than overseeing a security team full-time. A CISO is an expensive employee, so a vCISO is an affordable option for small businesses that can’t afford a regular full-time executive.
Proofpoint Resources for More Information
Proofpoint has CISO hub which contains resources that can help CISOs with the challenges of cybersecurity, zero-trust networking, and cloud computing. We also help CISOs with research into the latest threats and the latest strategies associated with monitoring, containment, and eradication. The CISO hub is a good place to start.
Check out our whitepaper Voice of the CISO Report where we review the previous year’s cybersecurity incidents, new strategies that can be used to fight threats, and the ever-changing role of the CISO and the challenges that they face.
To hear what other CISOs think around the world, check out our CISO Perspectives page.