Let’s face it, being a CISO can be one of the most thankless jobs in the c-Suite. I’m sure there are many security professionals who will say it is in fact the most thankless job in the c-suite.
Consider that if everything is going well, and there hasn’t been any major events or data breaches, no one really thinks about the job the CISO is doing — unless of course the CISO is getting in the way of a new project in trying how to advice how to do things better.
Certainly, few CISOs report getting pats on the back and high-fives for their not being a data breach on any given day. But the second something goes awry, such as a breach, or an insider who has gone rogue, or web apps succumb to a denial-of-service attack the CISO’s name is mud.
With this in mind, I thought it’d be a great idea to take a quick look at some of the ways your CISO has saved your organization’s cyber over the years:
Through improved security awareness. In larger enterprises, the CISO is the one out there building security awareness throughout the entire organization. For starters, just the presence of a CISO communicates to employees, as well as partners, suppliers and customers that security is important to the organization. Without a CISO in place, there’d be no one in the organization dedicated to driving cybersecurity awareness, from employee security awareness training to formal training for developers and executives.
By increasing security awareness — your CISO helped to save your cyber.
By educating the board and executives on cyber risk. The CISO is the person best equipped to educate the board of directors and executives when it comes understanding how digital and information risks translate into business risks. This could be when trying to justify increased investment in software security testing, the focus isn’t on reducing bugs — it’s on how reducing bugs will reduce risks of a data breach, improve application uptime, and reduce costly software fixes down the line. The CISO can help educate the board and executive leadership how every technology decision involves risk. Certainly, that risk can be managed: but every business and technology decision does involve risk.
By educating the board and executive leadership about how business and technology decisions affect cybersecurity risks — the CISO has saved your cyber.
Building a security culture. The CISO can take the lead and help the enterprise build incentives that reward good security. How can developers, operations teams, lines of business managers, all the way through the receptionist be rewarded for keeping security top of their mind? There are many ways, from rewarding developers for improving the number of defects in their apps to providing everyday employees gift cards for not opening that phishing email. There’s always a way.
By helping to build a security culture — the CISO has saved your cyber.
Building, maintaining an enterprise security and risk management program. Building such a program is no easy task, and it’s likely impossible without someone heading the initiative to build and maintain the effort. It’s the CISO who builds the information security policy that is tailored to the specific organization and industry, helps classify assets throughout the organization, establishes the security controls necessary to keep systems and data secure – and makes sure staff and contractors have access to only what they are authorized to access. And it’s the CISO that built the incident response team that is capable of rapidly putting an end to attacks when they do occur. While these tasks aren’t all that your CISO does, it shows the importance of having the CISO there to keep the security program in place and running smoothly.
By building the information security program, putting the processes and controls in place that ensure the program’s policies are enforced, and keeping the program running and aligned to business strategy the CISO has saved your cyber.
Create a more resilient network. By improving security awareness throughout the organization, educating and helping the board and executive leadership understand right, promote a security culture, and build a mature information security program, and keep all of that aligned with business goals the CISO will help create a more resilient enterprise.
By building a more resilient enterprise, the CISO has helped to save your cyber.