{"id":2225,"date":"2021-02-09T18:41:42","date_gmt":"2021-02-09T18:41:42","guid":{"rendered":"http:\/\/72.52.228.46\/~itegriti\/?p=2225"},"modified":"2021-04-12T05:18:26","modified_gmt":"2021-04-12T05:18:26","slug":"smb-cybersecurity-guide-the-role-of-a-ciso","status":"publish","type":"post","link":"https:\/\/itegriti.com\/kw022024\/2021\/managed-services\/smb-cybersecurity-guide-the-role-of-a-ciso\/","title":{"rendered":"SMB’s Cybersecurity Guide: The Role of a CISO"},"content":{"rendered":"

The types of cybersecurity challenges confronting small- and medium-size businesses (SMBs) are on the rise. In a report shared on Business Wire, Tanium<\/a> found that 98% of Chief Experience Officers (CXOs) had experienced security challenges within the first two months of their employers having shifted to remote work as a result of the pandemic. Approximately the same percentage (93%) of respondents subsequently decided to delay key security projects as they navigated this transition. Their decision came at a time when nine in 10 IT leaders were already seeing an increase in attacks associated with Coronavirus 2019 (COVID-19), thereby jeopardizing their organizations\u2019 digital security even more.<\/p>\n

These and other security challenges highlight the need for organizations to have the right leadership going into the months and years ahead. That\u2019s where the role of a Chief Information Security Officer (CISO) comes in. This blog post will explore the role of the CISO and explain why it\u2019s important for SMEs (Small and Medium-sized Enterprises). After discussing the challenges of SMEs gaining access to the expertise of a CISO, it will conclude by discussing how organizations can turn to virtual CISO (vCISO) services offered by a managed services provider.<\/p>\n

What Is the Role of a CISO?<\/h2>\n

An effective CISO must uphold three key tasks. These are aligning security initiatives with business objectives, facilitating strategic governance and monitoring for compliance.<\/p>\n

1.\u00a0\u00a0\u00a0 Aligning Security Initiatives with Business Objectives<\/h3>\n

First and foremost, CISOs need to make sure that their organization\u2019s security projects are aligned with its business objectives. This will help to ensure that digital security doesn\u2019t exist in a vacuum. Indeed, it will give CISOs the ability to use security in an effort to help the organization grow and expand.<\/p>\n

This alignment of security to business objectives is especially important given the fact that many Board members have limited technical expertise. A 2019 report from the Advanced Cyber Security Center<\/a> (ACSC) found that 38% of respondents felt their Board members viewed cyber risks as only \u201csomewhat significant.\u201d In response, CISOs can work to provide additional education and training to their Boards.<\/p>\n

As IBM<\/a> explains in a blog post:<\/p>\n

CISOs should take stock of the current level of knowledge of the full board and work to improve the board\u2019s cybersecurity expertise. Board members should receive consistent training and enhance their cybersecurity expertise, whether that is delivered by the CISO, by engaging external cyber risk advisers or through third-party assessments.<\/p>\n

CISOs can complement this ongoing security training with a their continued efforts to frame security investments in terms of the organization\u2019s business objectives. With reference to the Board in particular, they might consider linking their organization\u2019s investments to specific risks confronting them and their economic sector as well as to measurable outcomes. This will help CISOs to demonstrate ROI to the Board.<\/p>\n

2.\u00a0\u00a0\u00a0 Facilitating Strategic Governance<\/h3>\n

As part of their efforts to align security with the business, CISOs need to take stock of organization\u2019s current environment. That includes understanding the current strategic governance plan that\u2019s in effect.<\/p>\n

Delta Risk<\/a> defines strategic governance as \u201call of the people, processes, and technology we mentioned above that you need if you want to be sure your organization\u2019s security needs are covered.\u201d The managed security services provider notes that CISOs can facilitate strategic governance by first choosing a framework that they can use to get their organization\u2019s information security program up and running. (ISO<\/a>, COBIT<\/a> and NIST<\/a> are some common choices.) Many of these frameworks emphasize the need for CISOs to create an overarching security policy that applies to the entire organization. As such, organizations need to create an information security program governance committee for reviewing and approving all security policies. This committee should consist of HR, Legal and members of the C-suite who can examine all security policies from a different perspective.<\/p>\n

From there, CISOs can work with the C-level to obtain executive buy-in for their efforts. They should proceed by first performing a security risk assessment to identify gaps between their security policy and the organization\u2019s current security state. Such an evaluation will yield valuable knowledge that CISOs can then use to campaign for creating new processes, investing in security awareness training and procuring new security tools.<\/p>\n

3.\u00a0\u00a0\u00a0 Managing Audits<\/h3>\n

Last but not least, CISOs need to manage audits for their organization. They can do this in part by developing policies, procedures and programs that secure data in a way that ensures compliance with the framework that applies to them.<\/p>\n

CISOs can\u2019t stop there, however. Referencing a job description template provided by EDUCAUSE<\/a>, CISOs also need to work with internal auditors, outside consultants and other entities with carrying out required security assessments and audits. This task requires that CISOs provide leadership in tracking all security-related audits including their scope, the departments\/systems that are involved, the timelines over which they\u2019ll occur, the agencies with which they\u2019ll work and the changes that they might make as a result of those audits\u2019 outcomes. Along the way, they might also need to formulate a strategy for addressing numerous audits, compliance checks and external assessments at once.<\/p>\n

Difficulties for SMEs<\/h2>\n

SMEs could very well benefit from enlisting the security expertise of a CISO. But it\u2019s not always practical for them to do so in a traditional sense. Indeed, SMEs\u2019 security programs are usually smaller in scale than those at large enterprises. Such organizations might not need a full-time CISO, as a result. This could make the average salary of a CISO<\/a> impossible to absorb.<\/p>\n

Even if they want to have a traditional CISO, SMEs might run into additional struggles with finding one. The Wall Street Journal<\/a> notes that \u201cchief information security officer is a relatively new title near the top of a company, with a comparatively shallow pool of candidates\u201d in a field that\u2019s already suffering from a skills gap. The talent pool is still evolving to find qualified candidates to fill this leadership role, in other words.<\/p>\n

Even if SMEs find a CISO, that doesn\u2019t mean the candidate will be in their job for long or even excel in their position. Indeed, a report from Nominet Cyber Security<\/a> found that less than a third of all CISOs spend more than three years in their jobs. Simultaneously, Gartner<\/a> found in a 2020 report that just 12% of CISOs excelled in all four categories of its CISO Effectiveness Index.<\/p>\n

vCISO as an Alternative<\/h2>\n

Acknowledging these difficulties, organizations might want to consider going with a vCISO instead. A vCISO is usually a security expert who uses their experience to help other organizations set up their information security programs and architect their security strategies. Oftentimes, managed service providers<\/a> offer vCISO services to help smaller organizations like SMEs pursue their security goals.<\/p>\n

Organizations interested in enlisting the help of a vCISO should first make an effort to understand their cybersecurity risk baseline. Towards that end, ITEGRITI released its Cybersecurity Risk Assessment to help organizations evaluate their cybersecurity preparedness and maturity. Those who take it will receive a copy of the risk baseline report along with a cybersecurity maturity score based solely on this attestation, along with control implications in areas where cybersecurity controls may need improvement.<\/p>\n

Learn more about Itegriti\u2019s Assessment here<\/a>.<\/p>\n<\/div>

<\/div>
<\/div><\/div>
<\/div>

This SMB Guide is part of a series to assist small and medium-sized businesses with their cybersecurity needs. You can read others in the series here:<\/p>\n