The Chief Information Security Officer (CISO) is the executive responsible for an organization’s information and data security.
Not every company has a CISO, yet according to IDG´s 2020 Security Priorities, the number has increased up to 80% in the case of Large Enterprises and so is expected in smaller companies. The CISOS, play an important role because they keep the employee´s security training adequate, and their security strategy is far more proactive compared to those who have not such officers.
WHAT IS DEMANDED TO A CISO?
• Security operations: real-time analysis of immediate threats, and triage when something goes wrong.
• Cyber risk and cyber intelligence: Keeping updated to the newest threats and building strategies to minimize the potential impact of them if such incidents might come about.
• Data loss and fraud prevention: Assuring that the critical data is a much secure as possible and having tools and strategies to reduce critical incidents from disturbing business activity or data loss.
• Security architecture: planning, buying, and rolling out security hardware and software, and making sure IT and network infrastructure are designed with best security practices in mind, and updating all tools with the latest security patches.
• Identify and access management: ensuring that only authorized people have access to restricted data and systems.
• Program management: keeping ahead of security needs by implementing programs or projects that mitigate risks-regular system patches, for instance. Bringing awareness to all employees towards the essential security measures.
• Reporting Security to the Board: One of the hardest tasks is to explain security issues to non-technical people but that is challenging any CISO needs to overcome in his role. Having more precise and clear data on what and how Security issues are being carried out is vital.
• Governance: Connecting to the Compliance teams to assure that data handling complies with all legal obligations.
• Risk Landscape: Keeping track of the cyber-risk in their data landscape by monitoring Third parties and their infrastructure.
EVOLUTION OF THE ROLE OF CISO
Initially, CISO were directors of information security and reported directly to the CIO (Chief Information Officer), which is considered an extension of IT.
However, as the CISO position evolved, so did its visibility and importance for top management. The result of this evolution was, in the case of some organizations, the CISO started to report to the CEO (Chief Executive Officer).
We currently have CISO reporting to several executives (CIO, CEO, Risk Director, Audit Committee…), that is, to whom CISO reports depends on the size, dynamics, and sector of the organization.
In short, regardless of the position to which CISO reports, CISO has a fundamental role in an organization in that it is to assure security, sensitizing all internal stakeholders on the importance of implementing security measures proactively and reporting Security to the Board.