5 Qualities Your Next Chief Information Security Officer Should Have
In a world where dataism has become the new normal for organisations, security has become a high priority. Or at least, it should be a top priority for organisations. Unfortunately, the reality is different, and every year, many consumers still become the victim of one of the hundreds of data breaches. Any organisation can be hacked, and without sufficient security measures in place, it can become very expensive.
The breach of Equifax, the consumer credit reporting agency that exposed the personal data of some 143 million Americans in June and July 2017, is among the biggest hacks with the biggest impact on consumers. Thus far, the Equifax breach has cost the company US$4 billion. The company’s CEO resigned over the hack, as did its Chief Information Officer and its Chief Security Officer.
Information Security Challenges for Organisations
Unfortunately, protecting your organisations from (would be) hackers is difficult. Organisations face a lot of challenges when it comes to ensuring information security. Many organisations lack adequate staff in security operations and incident response. Detecting digital threads is challenging, and for most organisations, it is not a core competency.
As a result, they lack the data engineers and analysts to ensure proper incident monitoring and detection. Consequently, organisations face a lot of false positives due to the lack of intelligent analytics, resulting in too much noise. In addition, in a lot of organisations, monitoring still depends on too many manual processes, tools that are not integrated and the organisation lacks a complete overall picture.
Those companies that do not implement proper security measures, or at least ensure their data is encrypted so it is useless in case of a data breach, can be made liable. Especially under the GDPR regulations. Therefore, it is vital for organisations to develop the right policies and processes to ensure data security and the Chief Information Security Officer (CISO) should be responsible.
The Chief Information Security Officer
The Chief Information Security Officer is responsible for managing enterprise risks related to information, deploying security analytics within the organisation to do so and ensure compliance with regulations related to data security. The Chief Information Security Officer should create an environment that is capable of dealing with large quantities of data. Not only the data created within the organisation but also the data involved with security analytics.
Security analytics generally involve terabytes or petabytes of data due to log information from monitoring your network, database information, identify information and all kinds of other system data that needs to be analysed in real-time to know what is going on. The role of the CISO is an important one, but what are the five main characteristics to look at when hiring your next Chief Information Security Officer?
1. Understand the Technical Environment
The CISO has to develop the security backbone of an organisation, often starting from scratch. The CISO should be actively involved in activities such as managing operational risk activities, identifying protection goals and metrics that are aligned with the strategic plan and prioritise security initiatives within the organisations. Of course, the CISO should be responsible for implementing security analytics and overseeing incident monitoring and response planning. To be able to do so, the CISO needs to have a thorough understanding of IT and information security tools.
2. Be a Change Manager
Information security requires a culture change within the organisation. Making all employees aware of the importance of information security, ensuring the right security policies and processes and making sure that the implemented security analytics are used, requires a culture change. This is difficult, as people have a natural inertia to change. Therefore, the Chief Information Security Officer should be a strong change manager, who is capable of changing people’s behaviour within the company.
3. Be a Strategist and Communicator
As a CISO, it is your responsibility to create high-end encryption and make your systems as unhackable as possible, but still, align it with the business objectives. Unmoveable, cold stored data does not help with the business, as business needs information to flow and be reachable in real-time. It is, therefore, the objective of the CISO to find a balance between security needs and business needs and be able to convey this message to the stakeholders. After all, if the end-users do not understand why certain security measures are in place, they are likely to ignore it.
4. Be a Good Recruiter and Manager
Developing an advanced information security environment, including analytics for monitoring and detection of data breaches, requires very skilled personnel. Often, these developers are hard to come by and hard to keep. A great CISO hires staff that are analytical, great thinkers and result-focused that like to solve complex puzzles. It is the task of the CISO to create an inspirational and challenging work environment for IT security staff.
5. Be Capable of Complex Risk Assessments
Developing and implementing information security systems take time, money and energy. A great CISO can assess and prioritise which assets need to be protected first and how depending on the risks involved. To do so, the Chief Information Security Officer should have a clear understanding of the objectives of the different departments, what the different data requirements are and what the corresponding risk factors are. Based on an analysis of these, often conflicting interests, the CISO should be able to develop an actionable security strategy to minimise the risks the organisation faces.
Final Thoughts
The introduction of the Chief Information Security Officer is just the beginning. The world of digital security is changing rapidly, and organisations should evolve as well. Cybercriminals are constantly changing their tactics, finding new ways to attack companies, so if a company refuses to stay up-to-date, they are almost asking to be hacked. This new reality requires a new approach to security.
Protecting your company should be focused on prevention, detection and response. On the one hand, you should make it as difficult as possible for criminals to hack your systems. Encrypt your documents, and especially your passwords, and use firewalls to protect your systems from outside intruders. On the other hand, focus on monitoring and detection to know what is going on within your network and company. Finally, combine different tools to directly respond when an intruder is discovered. To implement all these information security measures, the role of the Chief Information Security Officer is a necessity.
Image: Gorodenkoff/Shutterstock