Ah, the CISO. In the past decade no job title has become more fashionable. At the same time, no job title has carried more of an air of mystery. What, exactly, is a CISO? What do they do? How do they do it? And how can you become one? Let’s find out.
What Is a CISO?
CISO stands for Chief Information Security Officer. The role first appeared in the mid-1990s and, as the rate and risk of cyber attacks have surged, countless companies have added CISOs to their ranks. Any organisation that uses, generates, or stores data (basically every business, organisation, or entity currently operating) can benefit from giving security a seat at the C-suite table, where the CISO can bend the ear and influence the decisions of the CEO and other key leaders.
What Does a CISO Do?
To put it bluntly, the CISO carries the security of the entire organisation on their shoulders. They set company security policies, procedures, and standards, and are accountable for securing data, minimising threats, and managing not only business requirements and compliance, but also the training and education of their organization’s people.
How Do They Do It?
A CISO’s mission is to help their organisation get better at security. Since the role has existed for less than thirty years — a relatively short time in the business world — there is no set path that every CISO walks to achieve this mission. The techniques, strategies, standards, and procedures they implement will vary from CISO to CISO and organisation to organisation. As will the types of threats an organisation faces, and the solutions found in their tech stack. However, there are fundamental steps that all good CISOs take.
Build the Plan
A crucial first step for a CISO is the adoption of frameworks — one to evaluate your organisation’s current security posture and one to evaluate its risk.
Widely utilised frameworks like those offered by CIS and NIST serve as excellent ways to evaluate your organisation’s security posture, identify and evaluate weak spots, and develop a plan to improve.
The risk framework, however, is a more custom creation. A good CISO will ask tough questions of themselves and the rest of the C-suite. Questions like “How do we quantify risk? How do we measure it? What is our organisation’s appetite for it?” Once those questions are answered, the CISO can get down to the difficult work of developing a vision for where the organisation needs to be and getting buy-in from the C-suite to secure the resources to get there.
Measure, Measure, Measure
You can’t know if your security is improving if you’re not measuring it against baseline benchmarks. That said, no CISO has it all totally figured out on day one. Determining what metrics to measure can only be accomplished once a CISO has the full, clear picture of where the organisation currently sits regarding security.
The measurement model will also be impacted by the size of the organisation, as well as its industry. Some organisations will be focused more on insider threats, others on remote access, and still others on physical attacks like tailgating.
Understanding what metrics matter most to the organisation, setting up ways to measure progress, and communicating this information clearly and consistently to the C-suite as well as the entire organisation helps set the CISO up for success.
Communicate Your Vision
A CISO must be an exceptional communicator. They are the voice of security in the organisation and need to be able to speak just as clearly in the boardroom as they do in the break room.
Weak security impacts the organisation’s ability to operate, which can have dire consequences for every employee. A good CISO helps tell the story of security, communicating across the entire organisation that security risk equals business risk. By clearly communicating what they are trying to accomplish, and by engaging others across the organisation, the CISO can reinforce the idea that security isn’t just their job or IT’s job — it’s everyone’s job.
Preventing a Breach
It’s every CISO’s least-favorite question: “Are we safe?” It’s something likely to be asked of a CISO in every board meeting and every conversation with a member of the leadership team. And the short answer is no.
No organisation can ever be fully, totally protected against attack. Unless you plan to unplug the computers, shut down the servers, board the doors, and brick-up the windows, there is always going to be some level of risk to doing business in the modern, interconnected world.
There are, however, ways a CISO can make a direct, meaningful impact on both the likelihood of an attack, and how much damage one can do.
Role-play Your Worst Day
A good CISO will prioritise the creation of a strong incident response plan that has been tested and re-tested across the entire organisation. Crucially, this includes table-top exercises with the rest of the leadership team. While the C-suite knows the importance of security, it’s different to make them imagine what a breach would look and feel like.
By building a realistic attack scenario and walking the leadership team through it you can help prepare the organisation for a myriad of possible outcomes. While it can feel like high-stakes D&D, asking them to fully engage with an imaginary worst-case scenario is the best way to mitigate the damage from a real one.
Practice Restoration and Remediation
Just as the first day an organisation thinks about a breach shouldn’t be the day they’re breached, the first time an organisation attempts to restore their system from a backup shouldn’t be the first time they actually need to.
A good CISO proactively tests their backup and restore procedures. They know how long it will take to rebuild a system in the wake of an attack. Smart CISOs also perform post-mortems on the hacks that make headlines, dissecting them to learn what went wrong and how their organisation can react differently.
Clear Crisis Communications
In the wake of an actual attack, the adrenaline and fear will be flowing. And that, of course, is when the press — and customers — will come calling for an explanation.
Developing and practicing a crisis communications plan can help a CISO avoid embarrassing or damaging missteps when communicating to the public, to customers, and to stakeholders. However, crisis communications is a difficult skill to master. Here are some fundamentals to remember:
- Explain clearly — Tell people exactly what happened and how it will affect them
- Be honest — Don’t lie, obfuscate, or hide
- Show remorse — Apologise for the mistakes that were made
- Don’t minimise — Never dismiss or downplay concerns
- Invite questions — Offer a prepared FAQ and open the floor for questions
- Follow Up — Provide a timeline for providing more answers and context and stick to it
It’s important to note that this crisis communication step is often left ignored in the wake of an attack. It’s easy for a CISO to place their focus getting systems back online. But getting caught flat-footed by an unexpected question — or making things worse with a poor answer — is something that can easily be avoided with proactive practice.
How To Become a CISO
Since it’s a relatively new field, there’s no typical path to becoming a CISO. But if it’s something you’re interested in pursuing, a good first step is to seek out companies you respect for their security efforts, identify their CISO, and learn what you can about their background and education.
Once you’ve gained an understanding of the types of experience you may need, ask yourself what gaps you need to fill in your resume. What education or certifications do you need? What expertise and experience would serve you well once you find yourself in the CISO seat?
Don’t get discouraged if it feels overwhelming. Every CISO working today took years to develop the skills and expertise needed to do their job. So, start small. Read books on cybersecurity as well as general business titles. Sign up for a free class or webinar.
But keep in mind that a lot of what you will do as a CISO is leadership-skill based, rather than security-skill based. Which leads us to our last point:
Why You Might Not Want to be a CISO
Being a CISO requires a passion for the high-level functions of business. That means you need to be actively involved in budgets and balance sheets. If you’re principally passionate about security and don’t feel as strong about how security fits into everyday business operations, being a CISO may not be for you. Seek out other leadership positions instead, such as senior or director roles.
Next Steps:
For more information on this crucial leadership role, watch our on-demand webinar, So You Want To … Be A CISO, featuring an exclusive interview with Adam Marrè, Arctic Wolf’s very own CISO.
