Does your organisation need a CISO?

How rising data security fears have boosted the role of the Chief Information Security Officer

You’ve heard it all before. ‘Cyber threats are on the rise’ shout the security firms. ‘It’s now a case of when, not if you become a target of a cyber attack’, you’re told on a weekly basis.

The truth is, data security has never been more important. The introduction of the EU’s General Data Protection Regulation was testament to that, forcing companies across the globe to get serious about how they collect, store and destroy the personal information of their customers.

The state of California has also passed its own law that mimics GDPR in order to boost the rights consumers have surrounding their own data.

As a result, a growing number of companies are actively hiring a dedicated CISO/CSO (Chief Information Security/Chief Security Officer) to help them handle sensitive data and mitigate the very real threat of data leaks or breaches that can cost organisations both financially and in terms of reputation amongst their customers.

According to Ponemon Institute’s 2017 Cost of Data Breach Study, last year the average cost of a data breach across the ASEAN region was $2.29 million. The report also found that appointing a CISO could reduce the cost of said breach by about $5 per stolen record.

However, as the nature of the threat landscape has evolved over the past few years, so too has the role of the CISO. A position that was once purely focused on the technical has now become more business orientated, with CISOs needing to take a proactive and business-focused approach to security.

While the role still oversees the hiring of an internal security team, CISOs must now also take responsibility for deploying security hardware, setting, reinforcing and updating a company-wide security strategy and auditing current systems to monitor any potential security flaws and mitigate future risks.

With different countries and continents implementing their own data governance laws, having a dedicated CISO can also prove crucial in allowing your organisation to conduct business overseas.

The bad news is that hiring is CISO doesn’t guarantee your business won’t be hit by a cyber attack. However, there is very little downside to improving internal security practices and hiring someone with a fundamental understanding of how security systems work.

Why CISOs matter more than ever in 2018

Between 27 June and 4 July this year, a cyber criminal gang stole the medical records of 1.5 million citizens from one of Singapore’s biggest healthcare groups, SingHealth. The hackers used a malware infected computer to gain access to the database, but officials said there has been a sustained and specific attack against the Prime Minister, Lee Hsien Loong, whose medical records were stolen in this breach.

Back in 2016, two hacking groups claimed responsibility for stealing the biometric data and passport information of more than 70 million Filipino voters. At the time, the cyber attack was reportedly the biggest government breach in history and the stolen information was later uploaded online.

Despite the continued growth of the digital economy throughout the ASEAN region, levels of cybersecurity readiness fluctuate significantly from country to country. To date, Malaysia, Singapore and the Philippines are the countries in the bloc that have data privacy laws in place. Furthermore, a report by A.T. Kearney states that the region is a hotbed for cyber attacks, with countries like Vietnam and Indonesia playing host to significant amounts of suspicious web activity and malware launch pads.

As a nation, Singapore has a robust cybersecurity infrastructure. However, research by ServiceNow has shown that CISOs in Singapore are, on average, lacking the resources necessary to make their company’s security strategy a success.

Unfortunately, this trend is being felt by the rest of the continent; an overwhelming 75% of CISOs in Asia are worried that data breaches are going unaddressed, with a further 71% raising concerns about their ability to even detect the breach in the first place.

Does your organisation need a CISO?

For the majority of large-scale organisations, employing a CISO makes sense from both a financial and a security perspective. As the threat landscape becomes harder to navigate, leaving the safety of personal data to chance is a risk most companies are no longer willing to take.

However, for smaller companies that lack the budget, structure or means to hire a dedicated security officer, there are other alternative solutions that can be put in place. Traditionally, the CIO would take responsibility for data security therefore absorbing the role of the CISO back into that of the CIO could help to temporarily bridge the security gap.

The bottom line is, whether it’s your CISO or someone else inside your company that has responsibility for your security strategy; ensuring they have the budget and support they need to do their job is fundamental.

As threat actors get smarter and cyber attacks become more sophisticated, the security of your company and the data it holds is far too valuable to be left at risk.