Do I need a CISO?

Chief Information Security Officer (CISO), a role that barely existed when the calendar rolled over to the year 2000. While it’s a relatively new role in the C-suite, it’s fast becoming one of the most important. The number and sophistication of cyber attacks keeps increasing, and companies are finding it hard to keep up. The question, do I need a CISO, depends on how serious you are about your data security.

When the CISO role was introduced, it focused on internal systems. With cloud services, mobile device adoption, and remote working, the role has changed a lot over the last two decades. Per Jeff Pollard at Forrester, “From 2014 to today, the CISO has evolved to be one of the centerpieces inside an organization. This is especially as more and more businesses become dependent on data and software to make money, which is virtually every business today.”

As security has become a board recognized concern, the CISO’s profile has risen dramatically within the C-suite. And we’re seeing the change in CISO tenure. Per the Forrester research, Fortune 500 companies CISO tenure is now at 4.5 years compared to just 17 months for all CISO’s. With the increased visibility, CISO’s are looking to create real change and to do that, they need time for the results to take place.

For Fortune 100 companies, there is a preference for CISO’s with previous experience. The Forrester study notes that 64% of hires are external. However, beyond the top 100, new CISO’s make up nearly two-thirds of new hires. This is likely because candidates for the role are in short supply. Finding an experienced CISO is going to be costly, which may explain why they are more often found in Fortune 100 companies.

Whether or not security is a core pillar of your company’s business strategy, new regulations, like GDPR, are forcing businesses to implement new, and often stricter, security guidelines. We at Sheer Velocity believe that every company that processes or stores customer data should have a CISO, and the sooner the better. Unfortunately for those looking for a quick fix, there is no one-size-fits-all CISO job description.

Depending on your existing security approach, the CISO may need to make additional hires in order to fully manage your threat landscape, it’s not something one person can effectively manage. Have you recently completed an internal security audit? Do you know if you meet your industry’s compliance benchmarks? A CISO will drive the vision for the organization’s information security philosophy. To carry it out will require C-suite alignment, budget allocation, and sufficient headcount.

Cloud based computing adoption and an increase in the Internet of Things (IoT) is going to make security even more difficult over the coming decade. A good CISO should be comfortable with cloud technologies and remain up to date with the latest threats and technologies.

The role also requires a constant balancing act between business needs and security protocols. For example, restricting remote access to the network is going to frustrate employees who need to get their work done. An ability to collaborate across departments and understand their business needs is crucial for an effective, sustainable information security policy.

If you’re on the fence about hiring a CISO, send us a note and we’ll work with you to determine the best path forward.