[author: Kevin Gorsline]

Introduction

The deluge of cyberattacks has not abated. Before discussing what a CISO does and the different ways of bringing CISO expertise into an organization, let us take a quick look at the current threat landscape.

As ever, current news articles report on companies suffering data breaches, ransomware attacks, DDoS attacks, and vulnerability exploits. It seems no industry is safe. Attacks have targeted hotels (Intercontinental), restaurants (Arby’s), telecommunications (Verifone, Verizon), healthcare (21st Century Oncology, who have incidentally filed for bankruptcy since the attack), education (WSU), and retail (Brookes Brothers, Kmart).

Naturally, companies want to identify similarities within their own organization to help gauge exposure to cyber threats. The question is simple: "If our organization faces a similar threat, will we be able to thwart or mitigate it?

Underlining any key differences is also of interest. There is one bogus difference that is often cited as creating a false sense of security. This is the belief that "We, [insert firm name here], will not be hacked because we are not a global mega-brand."

The media typically cover the "big" sensational stories of cybercrime. The vast majority of stories focus on attacks on big global brands or attacks involving millions of victims. However, attacks do not only target the largest companies. While some cybercriminals specifically target large entities, the majority target everyone else simply due to vulnerability (e.g., WannaCry).

Having a senior cyber expert, such as a CISO, on hand to help understand true exposure to risk can help ensure a company is adequately protected from real threats.

What Does a Good CISO Do?

Organizations don’t just want someone to add a layer of security on top of performance-enhancing strategies. They want a senior thought leader who not only understands the business opportunities for a specific organization but has a proven track record for implementing the required security processes to ensure steady business continuity and growth. There are many responsibilities that are passed on to the CISO, but let’s discuss the three most important roles of a CISO.

First, a good CISO is a cyber risk expert. A CISO’s prime responsibility is to ensure that the organization’s IT architecture is running at the appropriate risk level. They take into account confidentiality, integrity, and accessibility of data and figure out how best to secure it while keeping in line with business objectives. Once overall security posture is assessed and benchmarked--via interviews as well as penetration tests, access control reviews, and vulnerability scans--a CISO should provide clear remediation recommendations most appropriate to that specific organization.

Second, a good CISO gets compliance. A CISO should be able to confidently assure the business that it complies with all regulatory bodies that impact services and product offerings, be that HIPAA for healthcare, PCI for the retail industry, or GDPR for data processors. A CISO representative, familiar with all the regulations, should know how to speed through the glut of red tape involved in achieving compliance.

Finally, a good CISO will also make sure the business has a solid plan in place should a cyber incident occur. This last component should not be overlooked. When a firm is under attack, there are many, many decisions to make in a short amount of time, many of which have a drastic impact on interactions with business partners and customers. Having a plan in place alleviates confusion, streamlines efforts, and reduces the overall consequences of a cyber attack.

Options for Hiring a CISO

When it comes to hiring a CISO, there are three options available to most organizations:

Option 1: Hire a full-time CISO
This option is suitable depending on budget (full-time CISOs are expensive and highly sought after), headcount, and knowing what exactly the organization is looking for. It is strongly recommended that companies use a trusted vetting service and industry suggestions. Look at past work experience and training certifications. Reach out to past employers to get a sense of a candidate where possible. Additionally, establish a controlled cyber test scenario for interview candidates to comment upon to get a sense of quick decision-making. Plus, get a sense of their business acumen--understanding risk should be directly tied to business objectives.

Option 2: Hiring an external CISO

This option is good for those companies who want CISO expertise on demand without having to hire a full-time employee. The advantage of this approach includes bringing in a vetted security consultant who has access to the latest tools, training, research, and approaches. CISOs that hail from reputable IT security consultancies have the added advantage of being part of a network of cybersecurity experts, which vastly increases the depth and breadth of knowledge on many topics, from compliance to risk assessments. Plus, their exposure to many different network configurations and types of security architecture also broadens their understanding of security and risk. For the best advice, ensure the consultancy is fully independent (without any vendor or service affiliations) and well-established.

Option 3: Wait for an incident before hiring a CISO

This is not a recommended approach. When hiring a CISO to clean up an urgent cyber mess, time is a key factor. Waiting until a business has a cyber emergency on its hands can lead to mistakes. For example, having to find a CISO quickly often means skipping several vetting steps before offering unfettered access to a broken network. Further, the chosen CISO will need time to understand the business's architecture, the security implementations, and what the business knows about the attack.

Acknowledgments

We would like to thank Kevin Gorsline for providing insight and expertise that greatly assisted this research.