When do you hire a CISO? That’s a tricky question, but it’s one more and more enterprises are facing. Chief information security officer is becoming a critical role in the IT-heavy enterprise and becoming increasingly relevant even for smaller firms. While most enterprises already recognize the need to have dedicated security architects on board, a CISO is the next level of organizational commitment to information security, not only at an operational level but at a strategic level.
Companies go about building their information security teams organically, though they need to factor in industry-specific regulations and information security challenges. One approach adopted by enterprises is to create the position for a director of information security. The responsibilities for this person are to drive day-to-day security practices and operations, apart from bringing in periodic improvements to the security program.
A CISO, on the other side, is entrusted with the much larger and broader responsibility of setting up an organizational philosophy and vision around information security, interfacing with all department leads to drive adoption, and to navigate the organization’s vehicle through the political red tape that makes information security such a challenge to implement.
A blitzkrieg of questions
Like we said, the decision to hire a CISO is not exactly easy to make, and the biggest questions are centered on timing, method, remunerations, and current information security strength. Some questions likely to come up are: Shall we hire a director of information security and progress him or her to the role of a CISO? Do we promote our in-house cybersecurity leader to the position of CISO? Shall we consider CISO-as-a-Service solutions? We’ve not had a security breach worth losing sleep over — do we even need a CISO?
The answers, of course, are not straightforward. One thing is for sure — you don’t want to wait for the big breach to occur before you hire a CISO. Target needed the jolt of a lifetime in 2013 to bring a CISO aboard. Other retailers should have learned lessons from this massive breach, and you should, too.
Now, let’s give you another set of questions that will help you answer whether your enterprise needs a CISO now, or not.
Does your boardroom table have seat for CISO?
Simplified, the question is — is your enterprise ready to have a C-suite officer interact and work directly with the chief technology officer, chief information officer, and even chief marketing and finance officer? Getting a CISO on-board is the equivalent of acknowledging information security as a core pillar of the organizational framework. Your enterprise’s top officials will need to work, almost on a daily basis, with the CISO and participate in the programs he or she introduces and drives. This commands utmost support and acceptance from all enterprise departments, as the impact will quickly percolate down the enterprise hierarchy, changing the way people interact with technologies. If you are convinced that your enterprise is in a position and at a stage that’s perfect for the CISO to come in, go for it.
Do you have enough operational firepower?
The biggest mistake you can commit in the process of hiring a CISO (even while making the decision to hire one) is to let your requirements and concerns around operational aspects of information security interfere with the decision. A CISO’s first line of action will be to create an organizational vision and mission around information security, and then to work closely with department leads and executives to drive the enterprise toward better information security, always. Your CISO should not be required to pitch in to routine operational aspects of information security (not even team-level planning and department specific implementations). The job description and key result areas you design for the role of CISO must make it clear that the person will be entrusted with the enterprise’s information security — all of it.
Prepare for autonomy in the CISO’s work style
Whether it’s because of the regulations governing your industry, bitter recent experiences in security breaches, desire to emulate the best in your line of business, or because of the exodus of the current leadership crop in information security in your enterprise — if you’ve decided to bring in a CISO, you must decide whether you can give full autonomy to the CISO and how he or she wants to do the job. The political and cultural challenges involved in managing a function as pervasive as information security are massive, and your CISO would need some sort of autonomy and flexibility to make things work. It’s worth giving your enterprise the time of two to three months once the CISO joins the stables to decide on an administrative reporting mechanism, to balance out accountability and autonomy.
Could a security breach ruin your business?
Fire is the greatest teacher in fire-dousing — but such an approach doesn’t really work with information security. Look around you, and you’ll find enterprises and SMBs within your industrial space that have paid hefty prices for their information security laxity. If you’re convinced that learning on the job is not the best way to deal with information security risks anymore, it’s time to consider the services of a CISO. If your enterprise Information security monitoring and reporting tools suggest decreasing levels of health, it’s time to start the process of hiring a CISO. Also, if you operate in an industry where a security breach would ruin your business (finance, defense, and health care, in particular), don’t waste time — get the services of a CISO now.
Is the enterprise ready to change the way it deals with data and computing?
To bring far-reaching results and success in information security, the CISO will need to devise programs, best practices, and mechanism that will alter the way your people deal with technologies and data. An enterprise that’s committed to the task of upgrading and improving its practices for better information security can make the most of the services of a CISO. Else, you’d do better to first get the operational mechanisms in place, and help educate internal stakeholders of the need to align with information security best practices before getting a person for the job.