Information security experts with a knowledge of the threat landscape are crucial to every business today. Not only can they provide a deep perspective on risk, but they can enable a business to function optimally while mitigating that risk.
by Sharon Florentine
When it comes to security, you’re better off employing a specialist. However, according to recent research, less than half of companies employ a CSO/CISO.
Your CIO has enough on her/his plate without taking on responsibility for security, too. While there’s plenty a CIO (or a CTO) can tackle when it comes to security, these roles are “generalists.” What you really need is a chief security officer or a chief information security officer (CSO/CISO) — a security specialist.
The Cyber Security Job Trends survey from free online security MOOC provider Cybrary, which polled 435 senior-level technology professionals from October to December 2015, found that only about half or 49 percent of respondents say their companies employ a CSO/CISO who’s solely responsible for security.
“Even though we found that cybersecurity professionals, at all levels, are fully aware, and experiencing first-hand that the available talent is not keeping pace with demand needs, I was surprised by the alarmingly low number of companies that employ a CSO/CISO who is responsible for security,” says Trevor Halstead, product specialist, talent services, Cybrary.
But if you already have a CIO and a CTO, why do you need a separate C-suite role for security? It’s about prioritizing both the business and the security of information, infrastructure, sensitive data and your public reputation, and minimizing the risks to all of these before a breach occurs.
A dedicated CSO/CISO will not only have depth and breadth of knowledge about the threat landscape, protective approaches, tools and techniques to protect infrastructure and information, but a unique perspective on how to analyze and mitigate risk, says Salo Fajer, CTO of data loss prevention and managed security service provider Digital Guardian.
“What a CSO/CISO can bring to the table is much more than just a specialty in technology, an acute awareness of the possibility of attacks and knowledge of the threat landscape. It’s about having a broad and deep perspective on risk, and how to enable the business while minimizing that risk,” says Fajer.
A CSO/CISO’s major role in an organization is first to enable the business to function optimally, but within safe parameters to minimize the risk of threats, attacks and business disruption, says Fajer. Being able to identify and assess threats, and then translate the risks into language to help other members of the C-suite to understand what’s at stake is critical, he says.
“You not only need to be able to view business operations from a risk versus functionality perspective, you have to be able to discuss these in the language that a CEO, a CIO and other C-suite peers can understand and can appreciate,” Fajer says. A background both in the technical aspects of security and broader business knowledge and experience are important here, he says.
Digital Guardian’s research, culled from publicly available information on the Fortune 100 (F100) companies that employ a CISO shows that most in this role effectively combine both.
Though most F100 companies’ CISO’s, 59 percent, came up through the IT and IT security ranks, 40 percent hold a degree in business; 85 percent hold a bachelor’s degree, according to the Digital guardian research.
“There’s no specific path for becoming a CSO/CISO; there is a propensity for coming from IT and IT security, and there’s definitely an emphasis on integrating that with the needs of the business. You need to have someone with the security background, the experience and certifications that are enriched by business knowledge,” says Fajer.
While IT certifications in general aren’t the major differentiator they once were, Fajer says in the IT security space in particular, they’re still incredibly relevant. Digital Guardian’s research shows that on average, F100 security leaders hold 2.86 certifications, with the CISSP certification held by 53 percent of those CISOs.
“Security certifications are still very much experience-oriented, with a lot of hands-on learning and real-world components to the credentialing exams. Because of the diverse mix of educational background, security pros rely on these certifications to show they have the necessary skills and experience,” he says.
In the overall hierarchy of the C-suite, there are benefits to having an independent, separate role for a CSO/CISO, says Fajer.
“Some organizations have the CSO or CISO reporting to the CIO or CTO; some have the role separate and reporting to the CEO, much like the CIO and/or the CTO does. It depends on the individual businesses, but there’s something to be said for a stand-alone role who’s more independent; that way, the CSO/CISO can act almost like an auditor for other C-suite executives, and bring objectivity into discussions about budgets, resource allocation and business decisions,” he says.
Where your CSO/CISO came from is less important that what they can provide to your business; it’s really the difference between having a generalist with limited knowledge of a broad set of potential issues and having a specialist who can weave security best practices into your existing IT operation without disrupting the business, says Cybrary’s Halstead.
“Companies and C-level executives need to realize the absolute necessity of having a CSO/CISO responsible for security, and at the table when making security decisions. We have reached a tipping point where security should not be an afterthought; it should be incorporated into the everyday business decisions a company is making,” he says.