Not employing a chief information security officer (CISO) may sound foolhardy, but it is not uncommon. Only 49 percent of companies currently employ a CSO or CISO, according to Cybrary’s 2016 Cyber Security Job Trends Report.
Why is this? The reasons are myriad, from the lackadaisical “it won’t happen to me” business attitude to information security to confusion around the CISO’s purpose, budget constraints and trouble identifying the right candidate.
Unclear KPIs and CIOs carrying out CISO job functions muddy the waters too. However, it’s increasingly clear a CISO is required to prioritize information security and be a strategic enabler for the business.
Is the time right to hire your first CISO?
The most important point companies must understand is why they have made the decision to hire a CISO. Is it because they need someone to build a security infrastructure, to lead security strategy, or have they simply been recommended to do so by the board of directors or audit committee? The who then becomes important, given the different skillsets of CISOs and the wide-ranging salary and leadership expectations.
Joyce Brocaglia, managing director at recruitment firm Alta Associates, recalls hiring Steve Katz as Citi CISO back in 1994, widely believed to be the first role at the time. She says that the type of role - and applicant - has now changed. “Back then we were placing leaders whose focus was very technical in nature. Today, we are replacing those technicians with executives who have a holistic approach to security and risk, can act as enablers, and work with technology leaders in their transformational efforts.”
"Katz himself believes Citi was ahead of its time in understanding the strategic value of security. After suffering an attack at the hands of a Russian group, Katz said this alone "was enough of a wake-up call for the CEO and board that they wanted a head of information security in place at the executive level." He says that most firms are now looking to do the same, largely to adhere to GLBA, FS-ISAC and other regulatory requirements."
Two prime examples of first-time CISOs
Cloud-center-as-a-service firm Seranova hired Stuart Clark as its first-ever CISO in March in a bid to drive further business growth. “We had a security department but we didn’t have an elevated person in that position,” said CEO Vasili Triant, adding that the firm’s director of security reported into engineering. “I wanted to be proactive and stay ahead of the curve.”
Describing Clark’s appointment as a “major strategic addition,” Triant interestingly noted it paralleled recent business growth, too, with a software business “doing gangbusters” resulting in a “lot more security questions” from customers.
Sign up for CIO Asia eNewsletters.