[BreachExchange] Hiring a CISO: The evolving role of your security executive

[Destry Winant]

https://www.securitymagazine.com/articles/93000-hiring-a-ciso-the-evolving-role-of-your-security-executive

Before COVID, cybersecurity was a concern for businesses everywhere.
In fact, in Microsoft’s 2019 Global Risk Perception Survey, 57 percent
of companies ranked cybersecurity as a higher risk than economic
uncertainty and brand reputation or damage.

As COVID continues on, cybersecurity risks remain high. In April 2020,
the World Health Organization saw a fivefold increase in cyberattacks
on its staff and organization, and by the end of March 2020, Microsoft
reports that every country in the world had seen at least one COVID-19
themed attack.

Looking ahead, what does all of this mean for the role of the Chief
Information Security Officer (CISO)? Not only is it more important
than ever before — with 61 percent of companies having someone in the
role of a CISO — but the role has shifted since the start of COVID.
According to Douglas Gladstone, Comhar Partners Managing Director,
“The role of the CISO has greatly shifted to focus more efforts on
remote work and business continuity. With an influx of more remote
cyber threats, we will likely see an increased need for security
training and more emphasis on supporting help-desk staff in providing
virtual security assistance. To better manage continuity, a focus on
patching remote systems via VPNs will likely take precedence.”

If you’re among the 39 percent of companies without a CISO, it’s time
to consider who can best fill this role for your organization. With
the workforce going remote, more attacks on the rise, and the need to
evolve company technology in order to stay competitive, the person in
this role must be able to manage a unique set of security challenges.

Consider the skills today’s CISO needs to find the best candidate for
your company.



Securing the remote workplace

The vitality of the CISO function has become more apparent for nearly
every business as they shift to remote, which brings its own set of
security challenges. No longer does risk need to be contained within
the four walls of the office. Now the CISO must secure employee
devices and accounts across the country or even around the world.

As such, the person in this role needs to be familiar with developing
and updating policies and procedures company-wide, along with applying
them and tracking success. They also need to understand the landscape
of tools like VPNs and Network Access Control and be able to implement
them successfully to ensure the company is never at risk.

More importantly, they need the team to continually manage the various
tools, policies and measures put in place. This is why hiring a CISO
who can take the lead with hiring in-house employees or an outsourced
support team to manage new risks as they arise is critical.

“Security solutions are extremely crucial especially for the remote
workforces,” says Karen Turrini, Comhar Partners Managing Director.
“In addition to sophisticated security breaches, simple malware is
detected often as a result of the remote workers. It’s estimated that
the remote workforce will continue with 50 percent remote and 50
percent in corporate offices when this pandemic subsides. Companies
will demand CISO expertise more than ever.”

A successful CISO will be incredibly tech-savvy and adaptable. Someone
in this role needs to be able to work around the complications and
additional security concerns surrounding the ever-increasing remote
workforce.



Maintaining cybersecurity as a cultural mindset

The job of a CISO isn’t just to make sure the company is secure and
the IT team is doing what it needs to. With 90 percent of data
breaches caused by human error, a critical part of this role is
developing a culture of security and nurturing this among the entire
company, from their IT team to sales, marketing, HR and operations.

The CISO needs to share their knowledge of security with the whole
team, and make sure it’s accessible and easily understood by all team
members—not just those proficient in security and IT. For example, the
person in this role might implement strong password policies
company-wide and develop ongoing and engaging cybersecurity training.

Employees are one of the biggest risks for organizations, so tasks
like educating team members about phishing and ensuring everyone is
using two-factor authentication are key elements of the modern CISO.

Additionally, there should be open communication with all departments
so that employees feel comfortable reporting threats as soon as they
arise. The whole team needs to be able to work together in conjunction
with IT and the security team to build a resilient and secure
organization.



Enabling competitive advantages

The role of the CISO is to be a security expert as the company
evolves. As Justin Somaini, Chief Security Officer of SAP, says,
“Digital technologies and connectivity have infused every aspect of
the business. This elevates risk, but it also elevates the value and
importance of the cybersecurity function. The CISO increasingly has a
seat in the executive suite because security is no longer just about
risk; it’s also about competitive differentiation.”

Security isn’t just about keeping your company safe. Now, it’s about
securing the product that you offer, along with customer data, paywall
information, and much more. As the role of technology in business
expands, so does the role of the CISO.

Looking at 2020 and COVID, however, it’s becoming even more
challenging for the CISO to enable this competitive advantage while
maintaining security. As Jack Mannino, CEO at nVisium, explains to
Security Magazine, “The challenge for many organizations is continuing
to accomplish their security must-dos with significantly fewer
resources. Relying on a pool of trusted security partners is critical,
as niche skills or deep expertise may come from external sources when
internal headcount is constrained.”

This is why the role of the CISO cannot be underestimated. Despite a
lack of resources, their authority, experience and expertise can keep
the organization safe as they expand in an uncertain world.



The evolving role of the CISO

The CISO is more critical now than ever before. Companies need to not
only maintain normal security measures, but they also need to secure a
remote workforce, nurture a security-minded company culture and
leverage the CISO’s expertise as the company evolves. The right person
in this role will be able to keep the company and its customers safe,
which in turn affects every other area of the business. This makes the
CISO a key role for every organization to consider as they expand into
the “new normal” and manage the risks that come with it.