No two organizations have the same internal structure, staff roles, and titles. A prudent business leader knows they should only create a role if there’s a need for it. For instance, many small businesses don’t have in-house legal counsel. They consider it more efficient to have this handled by an external attorney engaged as necessary. Every position in an organization, therefore, has to be well-thought-out and its relevance established before someone is designated accordingly. That’s the predicament many businesses are finding themselves in as far as the position of a chief information security officer (CISO) goes.
If the news is anything to go by, every business needs a CISO. It seems that every other week, reports of a major data breach compromising the confidential data of millions of users grabs international headlines. The affected companies not only have to deal with the huge blow to their reputation but must also work quickly to close any gaps while reassuring customers and the public that they are doing everything to ensure such an incident doesn’t recur.
Data is one of the most important assets of the modern organization and its security is sacrosanct. There’s also been a wave of far-reaching data security regulations such as the GDPR that have upped the pressure on business leaders to give the highest priority to the protection of customer information. In this context, a growing number of enterprises are contemplating hiring a CISO. But how do you know whether your business needs a CISO?
1. Complex threat landscape
The cybersecurity needs of a tiny e-commerce startup with dozens of customers aren’t of the same order of magnitude as a global bank with thousands of employees and millions of customers. So perhaps more than anything else, the complexity of your security threat landscape should be the primary consideration on whether you should have a CISO.
Complexity is not necessarily synonymous with scale. Smaller organizations such as vendors of antivirus software cannot afford a failure in their security controls. They must give greater priority to security than the average organization. In that case, having a CISO would be crucial in making security issues front and center of decision-making conversations.
2. A history of security breaches
Appointing a CISO after a security breach might feel a bit like closing the stable door after the horse as bolted. However, hackers like anyone else would want to expend as little effort as possible to realize the maximum return. An organization whose systems they’ve penetrated before would be a viable attack target before they proceed to more uncharted territory.
There’s no guarantee that an attacked entity will take the measures needed to close all loopholes. Appointing a CISO would be helpful here. The business can task someone with mitigating the breach damage and making sure gaps are addressed comprehensively. Also, a CISO reassures customers that the business is going all out to prevent a recurrence.
3. Increased attacks on competitors or the industry in general
For businesses that have never found themselves entangled in an IT security incident, hiring a CISO would appear pointless. There’s the presumption that a system that has never been breached is a system that’s sufficiently secure. On the contrary, the reason your systems have been incident-free just could be that they are yet to be caught in the crosshairs of a determined attacker.
One sign that you could be a target soon is a spate of attacks on systems of businesses in the same industry. Whereas you and your competitors don’t have identical policies, procedures, processes, and systems, there are likely certain technologies used by many businesses in the industry. So once hackers breach the defenses of one player, they could leverage this knowledge to launch a successful attack on similar organizations.
4. Lack of ownership or coordination in security matters
Some businesses have great teamwork, excellent coordination, and a strong individual sense of responsibility that gets things done even when there isn’t a specific individual or department charged with discharging a particular role. In such businesses, it might not be necessary to hire a CISO since, between the IT and business teams, there’s strong commitment to ensure security matters are identified and addressed quickly.
Unfortunately, not all organizations are endowed with such harmony and a sense of duty. Security issues can fall through the cracks because there isn’t someone running with the cause. In such instances, a CISO would help drive the process, close gaps, and reduce conflict.
5. Absence of IT security leadership skills
There’s a dearth of cybersecurity professionals in the market. The open positions far outstrip the available talent. That is in itself evidence there’s a good chance your own non-security IT professionals don’t have the skills required to tackle IT security challenges.
If your organization is fortunate enough to have a CTO, CIO, or COO who has a firm grasp on IT security matters and can provide clear, coherent leadership, then hiring a CISO is superfluous. On the other hand, if you find it difficult to identify any one tech or operations leader as a dependable cybersecurity leader and champion, then hiring or designating a CISO would be critical.
6. Regulatory concerns
Industries such as financial services and healthcare are highly regulated. Businesses operating in these sectors are often expected to have much higher data security standards than the average organization. While regulators may not necessarily require that such businesses have a CISO, the potential repercussions of non-compliance with data security requirements could compel the business to appoint one.
The regulatory, legal, financial, and reputational cost of noncompliance could be far greater than the remuneration and benefits they’d offer a CISO.
You need a CISO of some sort
Whether you have a specific person appointed the CISO or you deem it more pragmatic to have an existing executive such as the CIO, COO, CTO, or CSO cover the role, the business must dedicate adequate management support to information security. As cyberattacks become more sophisticated, the security of your data and systems is too important to be left to chance.
Featured image: Shutterstock
