"CISOs are known to be accountable to protect your business against security and privacy breaches. But they cannot be efficient without the support of the other strategic departments. Security resilience can only be achieved with a strong security company culture."
This article has been written following a presentation given by Filip Dewolf during an event organised by the Belgian Cyber Security Coalition, ISACA and Solvay Brussels school. Our objective is to share some insights to CISOs, but also to Business Directors.
The digital world continues to evolve and so do the cyber threats we face. Studies have shown that it takes on average 200 days for a breach to be detected. Without proper protection, most damage could already been done.
That is why cybersecurity has truly become a business necessity. And the role of a Chief Information Security Officer (CISO) has never been more important.
But it comes with some challenges:
- A CISO can play a key part in developing a company’s cybersecurity and resilience posture. However, too often, it is not treated as a strategic position but rather an extra responsibility or a purely technical role.
- Another challenge to overcome is the perception that the hiring of a CISO can guarantee an organisation full protection. Yet, absolute security is impossible. To be able to do the job without fear of being fired if and when something goes wrong, mindsets first need to change.
"For a CISO to become an effective line of defence, it is crucial to first build the right foundations!"
Firstly, there is a need for well-defined roles and responsibilities and a clear reporting model in order to be successful. With these first steps in place, the focus can turn to the company’s security needs.
A Chief Information Security Officer can become an important asset and help co-define strategic decisions within the organisation. Before that can happen, the company culture may need to change. It is a CISOs role to help everyone understand the role and value of security by informing and training people within the organisation. Only then can a truly comprehensive security strategy be created.
In order to create an efficient security strategy, a CISO needs not only operational expertise but also a multitude of other skills such as:
- Executive: the ability to translate company vision & mission into the security strategy, understanding of financials and identifying key assets
- Policy: the policy needs to be realistic, understandable, and known throughout the organisation
- Communications: Capability to adapt to different audiences and some crisis communication skills
- Risk Management: Determining the probability and impact of Business and Security risks and calculating the residual risk
- Incident Management: Understanding business continuity, disaster recovery and crisis management
- People Management: Hiring, retaining and training the right people
- And other skills such as Privacy Regulations, Security SLA Negotiations, Cyber Insurance, …
However, it isn’t realistic for one person to have all of these skillsets. That is why when possible, we advise companies to set up a CISO office (internal or external): the CISO is accountable but is supported by experts in other fields such as legal or financial.
With all of these measures implemented, a CISO can bring real value and strengthen a company’s cyber resilience.