Do We Really Need a CISO? Yep, You Do.
One of the most effective steps that corporate leaders can take to improve cybersecurity is to build a trusted information security team—preferably one led by a Chief Information Security Officer (CISO) or Chief Security Officer (CSO). Historically, the role of information security was often small enough to be handled entirely by a Chief Information Officer (CIO). But by viewing information security as a mere subset of their responsibilities, CIOs not only failed to devote their full attention to it, they also failed to allocate the quantity and quality of information security personnel.
In today’s perilous business environment, information security has become too vital and too specialized to be performed on a part time basis. Why? In part because the information technology delivering business has become so complex. Mobile, Cloud Computing, Internet of Things, AI: These business and digital trends have made communication faster and have created incredible efficiencies. But behind those new technologies often lie hundreds if not thousands of network devices and software applications. Simply keeping these systems up and running has become a massive undertaking.
Notwithstanding the compelling reasons to do so, a startling number of organizations do not have senior managers dedicated to information security. Only about 50% of businesses have a CISO or CSO in charge of their information security programs, according to industry reports. The number of organizations with low-level managers devoted to information security is undoubtedly higher, but the fact that only half of all businesses have a CISO is troubling.
Why are there so few CISOs? Part of the answer is under-investment. Companies’ investment in cybersecurity personnel and technologies has not kept pace with increasing cyber risks, though recent studies suggest this trend is shifting. There are also relatively few CISOs because of human capital shortages. Today’s information security job market is insanely competitive. Small and medium-size businesses struggle to match the compensation offered by larger enterprises. The lack of CISOs also appears to be the result of resistance from other C-Level executives who believe that CISOs do not deserve a seat at the table and should not be part of an organization’s leadership team. This attitude is short-sighted and dangerous.
There is tremendous value in having an individual or team focused exclusively on cyber security. Organizations with a CISO are more likely to have the governance, operational, and technical controls that are necessary to reduce cyber risks. Of course, companies cannot eliminate cyber risks simply by hiring a CISO, but they will reduce cyber risks considerably if they do so. Having an individual or team dedicated to cybersecurity–whether internal or external–is now an essential risk mitigation step for any organization serious about managing cybersecurity.
But there is a less obvious–yet equally compelling–reason to have a CISO. Regardless of your company’s size, industry, or maturity, there is a high likelihood that it will suffer a significant cyber incident over the next five years. The law of averages says so, and savvy corporate leaders should plan accordingly. Moreover, the aftermath of a cyber attack will be rife with privacy litigation, regulatory inquiries, shareholder outrage and confusion, and a broad range of unanticipated consequences. Above all else, during the fallout, corporate leaders will be called upon to convince an array of skeptical constituencies (e.g., shareholders, partners, customers, regulators, insurance carriers; employees and other interested parties) of the reasonableness of their failed cybersecurity protection efforts (or lack thereof).
Organizations will need to identify specific examples that demonstrate a reasonable commitment to cybersecurity. Having a CISO in place sends a powerful message about an organization’s commitment to data security and privacy. And it sends an even more powerful message if you don’t.
At Tensyl, we’re here to help. Learn more about us here.