Chief Information Security Officers (CISOs) aren't what they used to be. According to the Identity Theft Resource Center, data breaches exposed over 169,068,506 confidential records in 2015. Before cybersecurity became top talk within the IT world, CISOs were responsible, in general terms, for security. Today, they play a much more integral role in the enterprise.
CISOs are the senior-level executives tasked with identifying, developing, implementing, and maintaining security-related processes to protect organizations from operational risks and data breaches. A CISO’s key responsibilities may include:
- Developing and enforcing security-related policies
- Monitoring compliance
- Preserving data privacy
- Managing Computer Security Incident Response Teams
- Overseeing ID and access management
- Managing security architecture for the organization
- Performing digital forensic investigations or electronic discovery
- Contributing to the development of disaster recovery (DR) and business continuity plans
In other words, CISOs act as trusted advisers, using data to help their organization become more agile in the marketplace and make wise business decisions without unnecessary risks. They are the protectors of brand image, the liaisons between the organization, stakeholders, customers and employees, and the gatekeepers of the most important data assets within an organization.
Ever on their mind is the possibility of technical threats, regulatory constraints, and business risks as they relate to revenue and reputation. It’s a big job that’s becoming increasingly more complex and stressful, which calls for a very specific type of professional. Here are seven characteristics of a successful CISO:
1. High-Pressure Problem Solvers
Data protection is like a moving target, as such CISOs have be excellent problem solvers in order to successfully rise above security obstacles. CISOs relish a good challenge and have the unique ability to walk the line between day-to-day management and long-term vision, always with the understanding that every decision they make could have major ramifications.
2. People People
Part of their focus is maintaining their organization’s reputation, which means working with customers on a daily basis and dedicating themselves to helping solve issues across the organization, or delegating the task to someone inside the company who is equally or more capable. They communicate with stakeholders who may not have a well developed IT understanding or vocabulary. They nurture relationships to develop a helpful network of resources and they create understanding across the board. None of this is successful unless a CISO is inherently a “people person.”
3. Globally Aware
Today, information flows freely without borders and compliance mandates do not translate seamlessly across all countries. That means CISOs not only require a specialized understanding of the compliance standards directly related to U.S. operations, but also international regulatory standards like those of Europe, Asia, Latin America, the Middle East, and Africa. It’s an incredibly complex network of rules and standards that impact how quickly and effectively issues can be solved. This degree of complexity is forcing CISOs to develop greater skills related to IT, law, and business.
Data is the foundation that enables security and compliance teams to defend against misconfigurations, hyper-attacks, and malicious insider threats. The best CISOs know this and religiously use data to drive decisions. For CISOs to be successful, they must be comfortable with constant change, both internally and as it relates to the security threats they face. Instead of being reactionary, they forecast and recommend changes based on concrete data (not fear) to mitigate risk and clearly convey the need for change.
CISOs use data to measure their own performance and the performance of others within their organization. They bring data full circle, looking beyond face value to understand what the information means in terms of business operation and performance. CISOs use their findings to address weak points and better protect confidential information.
As mentioned briefly above, CISOs are business-minded individuals. They think about security in terms of business opportunity and make decisions based on how it will affect profits, efficiency, and competitive edge. That means they also have a deep understanding of business and what’s most important to their organization. Under the pressure of bottom-line health, they protect their company as efficiently and resource-conscious as possible.
7. Workaholic Tendencies
There is no rest for the wicked and CISOs know that. Many work long hours and weekends to stay ahead of the curve, and relentlessly monitor their organization as well as changing trends in cybersecurity to ensure proper defenses are in place. Hand in hand with this characteristic is humility. CISOs have a deep respect for the capabilities of their adversaries, and to remain vigilant guards. They must accept their weaknesses and endeavor to improve upon them.
The role of CISO is ever-changing to meet growing demands in cybersecurity. But one thing remains consistent: these professionals are critical to the protection of the organization and are becoming an increasingly integral part of top business decisions.
About ROB TYLKA
Robert Tylka is a Manager at Schellman & Company, LLC. Rob has over 13 years of experience in compliance and technology audits and assessments, including Service Organization Controls (SOC) reporting projects, Sarbanes-Oxley 404 compliance reviews and ERP controls evaluations. Rob currently oversees the Chicago market and is dedicated to providing Service Organization Controls (SOC) reporting projects for clients. To date, Robert has provided services to clients in the financial services, governmental, human resources, information technology, insurance, and manufacturing industries, among others. Robert has also provided professional services to companies of all sizes during his career, including Fortune 1000 and publicly traded companies.