What makes a CISO a CISO?

It is difficult to imagine any business that does not use, or interact with, a digital platform of some kind. From a humble website, through social media, integrated supply chains, manufacturing, or simply accepting online payments, businesses today are reliant on a functioning digital infrastructure. The results from Accenture’s 2021 review of the state of cybersecurity , based on 4,744 global respondents, are perhaps not surprising. They found that on average, there were 270 attacks (unauthorised access of data, applications, services, networks, or devices) per company, during 2021.  That is a rise of 31% in just one year!

In response to this threat, companies are investing more each year on cyber security. The same survey showed that 82% of all businesses were increasing their IT security budgets, 57% increasing by single digits, whilst more than one-in-five are increasing the spend between 10% and 25%.

But there is an issue. An approach to cyber security that simply says ‘no’ to any perceived online risk, is unlikely to align with a corporate strategy for profit and growth. The so called “Business Blocker” approach to IT security, may meet short term cyber objectives, but is unlikely to support wider business strategy.  What is needed are “Cyber Champions”, leaders who can strike the balance between cyber resilience and business objectives, providing strong alignment to the overall business strategy. 

What is a CISO?

The Chief Information Security Officer (CISO) is an executive officer, responsible for the cyber security strategy in an organisation. They are responsible for the security of the digital assets of a company, and identifying and eliminating weaknesses or threats to those assets. The CISO traditionally works alongside other C-Suite members including the CIO, CFO & CEO.

What does a CISO do?

The CISO is likely to sit on, or report to the main board, and head up a team of skilled cyber security experts and operatives. Whilst their exact role will vary, depending on the digital profile of a business, their work can be split into three areas, past, present, and future security issues.

The past focus is about investigating previous breaches, determining what went wrong, and planning to avoid repeat incidents. This focus should also involve establishing if there are historic data breaches which have yet to be identified.

Present activities include real-time analysis of immediate threats, both external and internal, as well as ensuring that people only have access to necessary and appropriate data and systems. Ensuring that the regular drumbeat of security activity, patch updates, staff education and support, are performed to the necessary standard.  There is also the important role of leading the security team, and ensuring that the board members and other stakeholders are kept up to date with relevant and timely security information.

Future focused activities are one of the most important areas for a CISO. Keeping abreast of developing global security threats, and providing insights to other board members, to help them plan for acquisitions or other major business decisions. It is also vital that the CISO has input into the wider IT hardware, software, and network planning decisions. But perhaps the most important role of the CISO is to create and implement the strategy that will keep their organisation safe from cyber security attacks, whilst supporting wider business objectives.

How important is the role of CISO?

The role of CISO is critical to the ongoing success and profitability of a company. The Accenture study shows that around 70% of CISOs report directly to the CEO and board, with many being given direct control over their budgets. With the increase in both cyber threats, and the competitive advantages digital opportunities bring, we expect this level to rise quickly.

What skills does a CISO need?

A CISO needs to have a mixture of excellent leadership, analytical, information technology, and risk management skills.  They are likely to have a background in IT security, though with a strong team, this may not be the single most important attribute. Formal education and qualifications are likely to be a requirement for the role, though it is important to recognise that certifications are only of value if they are up to date and revolve around current technology and issues. The person with the most badges does not necessarily make the best CISO!

What makes a great CISO?

A great CISO is someone that can strike the balance between providing good cyber security and supporting digital expansion and growth.  They need to be both a strategist and a pragmatist, a communicator, and a technologist.  A great CISO does not live in a cyber security silo, but instead collaborates across the entire organisation, to understand wider business risk and inform the broader strategy. That may sound like a tall order, but it is for this reason that many CISO jobs come with a very attractive salary. Be very sure however, that a CISO will earn every penny of it!

About Intaso

Intaso are a boutique head hunting and talent solution firm, with Cyber and Information Security expertise. We have extensive first-hand experience across all elements of attracting the right talent, from often unfound and untapped resources. We believe that having a genuine passion for the industry, pride in the quality of our services, a tailored range of talent solutions, and a personal approach, means we have a unique offering, which has worked with businesses of all sizes and industries.If you are looking for the best talent in the industry, or want to look for a CISO, or other IT security role, please get in touch.  We would love to hear from you.