The types of cybersecurity challenges confronting small- and medium-size businesses (SMBs) are on the rise. In a report shared on Business Wire, Tanium found that 98% of Chief Experience Officers (CXOs) had experienced security challenges within the first two months of their employers having shifted to remote work as a result of the pandemic. Approximately the same percentage (93%) of respondents subsequently decided to delay key security projects as they navigated this transition. Their decision came at a time when nine in 10 IT leaders were already seeing an increase in attacks associated with Coronavirus 2019 (COVID-19), thereby jeopardizing their organizations’ digital security even more.
These and other security challenges highlight the need for organizations to have the right leadership going into the months and years ahead. That’s where the role of a Chief Information Security Officer (CISO) comes in. This blog post will explore the role of the CISO and explain why it’s important for SMEs (Small and Medium-sized Enterprises). After discussing the challenges of SMEs gaining access to the expertise of a CISO, it will conclude by discussing how organizations can turn to virtual CISO (vCISO) services offered by a managed services provider.
What Is the Role of a CISO?
An effective CISO must uphold three key tasks. These are aligning security initiatives with business objectives, facilitating strategic governance and monitoring for compliance.
1. Aligning Security Initiatives with Business Objectives
First and foremost, CISOs need to make sure that their organization’s security projects are aligned with its business objectives. This will help to ensure that digital security doesn’t exist in a vacuum. Indeed, it will give CISOs the ability to use security in an effort to help the organization grow and expand.
This alignment of security to business objectives is especially important given the fact that many Board members have limited technical expertise. A 2019 report from the Advanced Cyber Security Center (ACSC) found that 38% of respondents felt their Board members viewed cyber risks as only “somewhat significant.” In response, CISOs can work to provide additional education and training to their Boards.
As IBM explains in a blog post:
CISOs should take stock of the current level of knowledge of the full board and work to improve the board’s cybersecurity expertise. Board members should receive consistent training and enhance their cybersecurity expertise, whether that is delivered by the CISO, by engaging external cyber risk advisers or through third-party assessments.
CISOs can complement this ongoing security training with a their continued efforts to frame security investments in terms of the organization’s business objectives. With reference to the Board in particular, they might consider linking their organization’s investments to specific risks confronting them and their economic sector as well as to measurable outcomes. This will help CISOs to demonstrate ROI to the Board.
2. Facilitating Strategic Governance
As part of their efforts to align security with the business, CISOs need to take stock of organization’s current environment. That includes understanding the current strategic governance plan that’s in effect.
Delta Risk defines strategic governance as “all of the people, processes, and technology we mentioned above that you need if you want to be sure your organization’s security needs are covered.” The managed security services provider notes that CISOs can facilitate strategic governance by first choosing a framework that they can use to get their organization’s information security program up and running. (ISO, COBIT and NIST are some common choices.) Many of these frameworks emphasize the need for CISOs to create an overarching security policy that applies to the entire organization. As such, organizations need to create an information security program governance committee for reviewing and approving all security policies. This committee should consist of HR, Legal and members of the C-suite who can examine all security policies from a different perspective.
From there, CISOs can work with the C-level to obtain executive buy-in for their efforts. They should proceed by first performing a security risk assessment to identify gaps between their security policy and the organization’s current security state. Such an evaluation will yield valuable knowledge that CISOs can then use to campaign for creating new processes, investing in security awareness training and procuring new security tools.
3. Managing Audits
Last but not least, CISOs need to manage audits for their organization. They can do this in part by developing policies, procedures and programs that secure data in a way that ensures compliance with the framework that applies to them.
CISOs can’t stop there, however. Referencing a job description template provided by EDUCAUSE, CISOs also need to work with internal auditors, outside consultants and other entities with carrying out required security assessments and audits. This task requires that CISOs provide leadership in tracking all security-related audits including their scope, the departments/systems that are involved, the timelines over which they’ll occur, the agencies with which they’ll work and the changes that they might make as a result of those audits’ outcomes. Along the way, they might also need to formulate a strategy for addressing numerous audits, compliance checks and external assessments at once.
Difficulties for SMEs
SMEs could very well benefit from enlisting the security expertise of a CISO. But it’s not always practical for them to do so in a traditional sense. Indeed, SMEs’ security programs are usually smaller in scale than those at large enterprises. Such organizations might not need a full-time CISO, as a result. This could make the average salary of a CISO impossible to absorb.
Even if they want to have a traditional CISO, SMEs might run into additional struggles with finding one. The Wall Street Journal notes that “chief information security officer is a relatively new title near the top of a company, with a comparatively shallow pool of candidates” in a field that’s already suffering from a skills gap. The talent pool is still evolving to find qualified candidates to fill this leadership role, in other words.
Even if SMEs find a CISO, that doesn’t mean the candidate will be in their job for long or even excel in their position. Indeed, a report from Nominet Cyber Security found that less than a third of all CISOs spend more than three years in their jobs. Simultaneously, Gartner found in a 2020 report that just 12% of CISOs excelled in all four categories of its CISO Effectiveness Index.
vCISO as an Alternative
Acknowledging these difficulties, organizations might want to consider going with a vCISO instead. A vCISO is usually a security expert who uses their experience to help other organizations set up their information security programs and architect their security strategies. Oftentimes, managed service providers offer vCISO services to help smaller organizations like SMEs pursue their security goals.
Organizations interested in enlisting the help of a vCISO should first make an effort to understand their cybersecurity risk baseline. Towards that end, ITEGRITI released its Cybersecurity Risk Assessment to help organizations evaluate their cybersecurity preparedness and maturity. Those who take it will receive a copy of the risk baseline report along with a cybersecurity maturity score based solely on this attestation, along with control implications in areas where cybersecurity controls may need improvement.
Learn more about Itegriti’s Assessment here.