These days, more than ever, having a Chief Information Security Officer is becoming a necessity as cyber-attacks continue to rise. There is a rapidly growing list of organizations embarrassed with what seems like one breach announcement after the other, including some companies considered to be among the most sophisticated. I mean, when a company that makes their living on storing passwords suffers a breach, you must think “those guys were not locked down?” Obviously, they were not. So, then who is the CEO turning to these days to guard their organization’s sensitive data and prevent breaches?
Well, you guessed it – the Chief Information Security Officer (CISO) is the person to rely on to solve these issues.
First, what does a CISO do? The CISO plans and strategizes the organization’s approach to all data security. This includes not only how that data traverses the internal and external networks, but also how data is stored and moved from one place to another – whether electronically (the network or public internet) or physically (CD, USB, external drive.)
So, do some of these larger companies that seem to be getting hacked daily have a CISO? If so, are they just asleep at the switch? While some are fighting a losing battle (because you are only as secure as your worst user) the CISO job can be a daunting one to prepare for. CISOs work to identify and eliminate vulnerabilities and must provide security assurances to the executive team and board.
Many companies that have a CIO assumed this was a responsibility that the CIO could shoulder, but the attack vectors are too broad, and the expertise to safeguard your enterprise is too precise. So, the CIO is now seeing the role of CISO as a necessity and become the biggest advocate for adding this individual, as opposed to in the past seeing it as a potential threat to his job. The CISO puts entire programs and processes in place to investigate potential security risks. They work closely with the CIO to make sure that from a network and data protection standpoint, everything is being done to consistently reduce attack vectors – and more importantly, educate the IT staff on best practices that allow for vulnerability management to be a part of the culture, and not just an afterthought.
In summary, the reason why you need a CISO is because the role is far too complex to expect someone who is encumbered with numerous other activities to be proactive enough to be effective. It is one of the reasons why the vCISO service that we at General Informatics and others provide has become so popular. The consumer knows that you cannot, and for that matter, will not get pulled in a different direction and take your eye off of the data security ball.