The position of CISO —Chief Information Security Officer— is one of the newest roles ever created in the field of information security. As such, there’s no standard definition of the CISO’s roles and responsibilities. Does the CISO report to the board with the other C-level executives? Do they have their own budget, or do they share it with the CIO?
Regrettably, a number of companies seem to have answered the question, “What is a CISO?” with “the person you fire after an information security breach.”
In order to successfully defend a company from security threats, the CISO needs authority, independence, and budget—plus some leeway when it comes to weathering cyberattacks. Here are a few ways that companies are setting up their CISOs to succeed.
Do You Have to Be an Enterprise to Hire a CISO?
One question that a lot of companies are asking is when to hire a CISO. A company of just 10 people might not need a chief information security officer. A company with a hundred people probably does—but many still don’t. A 2016 survey that included 435 cyber security professionals indicated that less than half of companies have hired a CISO so far. But when’s the right time to hire?
Ideally, the best time to hire a CISO is before your first major security breach. If you’re still asking yourself “What’s a CISO?” after hackers strike, odds are that your company won’t be around much longer. Think about the potential risks if your critical systems are infected, or if you’re forced to pay a ransom. You’re probably ready to hire a CISO when you’re ready to change the way you do business in order to increase your security.
What is a CISO’s Key to Success?
We all know that there’s an employment crisis in information security, but if you need a CISO, it’s worth giving them all the resources they need. Which then leads to the question, what are those resources?
CISOs are business leaders. In that sense, what they need to succeed are the same things that everyone else needs. For example, business unit leaders need to communicate with the rest of the company in order to make a case for their budget and workforce. CISOs also need to communicate with the company, in order to set cybersecurity policy. This doesn’t just require communication skills—other C-levels must support and amplify the CISO’s message.
CISOs also need trust. Security breaches happen, and most of the time this is in spite of a CISO’s good-faith best effort. Breaches after all are a matter of when, not if. When a security breach happens, judge the CISO by their incident response plan. You’ve hired a CISO based on their strategic ability, and all strategies incorporate a plan to minimize the risk of failure. Did your CISO mitigate the results of what was otherwise a successful security breach? Then keep them.
SentinelOne Gives Your CISO the Best Tools
Want to make your CISO’s job easier? Make sure that they can equip their staff with tools that can detect and mitigate the worst of the worst. SentinelOne can form the lynchpin of a strategic plan to cut down viral infections, and its sophisticated digital forensics package will help CISOs collect statistical data on the nature of the threat you’re facing. This allows them to further refine their plans to keep you safe.