In the past decade no job title in cybersecurity has become more fashionable than the CISO.
At the same time, no job title has carried more of an air of mystery. What, exactly, is a CISO? What do they do? How do they do it? And how can you become one? Let’s find out. But to start, let’s take a look at a major story involving the departure of a CISO at a top tech company and why its so newsworthy.
Twitter Lost Their CISO and Privacy and Compliance Leaders: Why That’s Bad
During Elon Musk’s recent takeover of Twitter, it’s been announced that the company’s CISO, along with the Chief Privacy Officer and Head of Compliance, have departed the newly private, massive organization.
This kind of shake-up is unheard of at a major tech company, and highlights the importance of security-minded leadership at companies. Whether you’re a digital communications company or a brick-and-mortar healthcare organization, cybersecurity affects you. Threat actors are always evolving, so taking a proactive approach to cybersecurity — from the c-suite to the IT department — is critical for improving security posture and staying safe.
As a Twitter employee noted in the original, internal post that led to this news becoming public, “All of this is extremely dangerous for our users.”
Organizations like Twitter are not only in the crosshairs of threat actors (who doesn’t want to claim credit for being the one to hack Twitter?), but they need to maintain FTC compliance, which can be complicated, and make sure their users’ data is secure. While Twitter is able to backfill those positions if they desire to, for smaller organizations like a healthcare network or manufacturing organization, it can be more difficult to recruit and keep security roles, which can lead to major security gaps.
Now let’s take a look at what a CISO does and why they are so vital to the security of an organization.
What Is a CISO?
CISO stands for Chief Information Security Officer. The role first appeared in the mid-1990s and, as the rate and risk of cyber attacks have surged, countless companies have added CISOs to their ranks. Any organization that uses, generates, or stores data (basically every business, organization, or entity currently operating) can benefit from giving security a seat at the C-suite table, where the CISO can bend the ear and influence the decisions of the CEO and other key leaders.
What Does a CISO Do?
To put it bluntly, the CISO carries the security of the entire organization on their shoulders. They set company security policies, procedures, and standards, and are accountable for securing data, minimizing threats, and managing not only business requirements and compliance, but also the training and education of their organization’s people.
How Do They Do It?
A CISO’s mission is to help their organization get better at security. Since the role has existed for less than thirty years — a relatively short time in the business world — there is no set path that every CISO walks to achieve this mission. The techniques, strategies, standards, and procedures they implement will vary from CISO to CISO and organization to organization. As will the types of threats an organization faces, and the solutions found in their tech stack.
Fundamental Steps CISOs Should Take
Build the Plan
A crucial first step for a CISO is the adoption of frameworks — one to evaluate your organization’s current security posture and one to evaluate its risk.
Widely utilized frameworks like those offered by CIS and NIST serve as excellent ways to evaluate your organization’s security posture, identify and evaluate weak spots, and develop a plan to improve.
The risk framework, however, is a more custom creation. A good CISO will ask tough questions of themselves and the rest of the C-suite. Questions like “How do we quantify risk? How do we measure it? What is our organization’s appetite for it?” Once those questions are answered, the CISO can get down to the difficult work of developing a vision for where the organization needs to be and getting buy-in from the C-suite to secure the resources to get there.
Measure, Measure, Measure
You can’t know if your security is improving if you’re not measuring it against baseline benchmarks. That said, no CISO has it all totally figured out on day one. Determining what metrics to measure can only be accomplished once a CISO has the full, clear picture of where the organization currently sits regarding security.
The measurement model will also be impacted by the size of the organization, as well as its industry. Some organizations will be focused more on insider threats, others on remote access, and still others on physical attacks like tailgating.
Understanding what metrics matter most to the organization, setting up ways to measure progress, and communicating this information clearly and consistently to the C-suite as well as the entire organization helps set the CISO up for success.
Communicate Your Vision
A CISO must be an exceptional communicator. They are the voice of security in the organization and need to be able to speak just as clearly in the boardroom as they do in the break room.
Weak security impacts the organization’s ability to operate, which can have dire consequences for every employee. A good CISO helps tell the story of security, communicating across the entire organization that security risk equals business risk. By clearly communicating what they are trying to accomplish, and by engaging others across the organization, the CISO can reinforce the idea that security isn’t just their job or IT’s job — it’s everyone’s job.
Preventing a Breach
It’s every CISO’s least-favorite question: “Are we safe?” It’s something likely to be asked of a CISO in every board meeting and every conversation with a member of the leadership team. And the short answer is no.
No organization can ever be fully, totally protected against attack. Unless you plan to unplug the computers, shut down the servers, board the doors, and brick-up the windows, there is always going to be some level of risk to doing business in the modern, interconnected world.
There are, however, ways a CISO can make a direct, meaningful impact on both the likelihood of an attack, and how much damage one can do.
Role-play Your Worst Day
A good CISO will prioritize the creation of a strong incident response plan that has been tested and re-tested across the entire organization. Crucially, this includes table-top exercises with the rest of the leadership team. While the C-suite knows the importance of security, it’s different to make them imagine what a breach would look and feel like.
By building a realistic attack scenario and walking the leadership team through it you can help prepare the organization for a myriad of possible outcomes. While it can feel like high-stakes D&D, asking them to fully engage with an imaginary worst-case scenario is the best way to mitigate the damage from a real one.
Practice Restoration and Remediation
Just as the first day an organization thinks about a breach shouldn’t be the day they’re breached, the first time an organization attempts to restore their system from a backup shouldn’t be the first time they actually need to.
A good CISO proactively tests their backup and restore procedures. They know how long it will take to rebuild a system in the wake of an attack. Smart CISOs also perform post-mortems on the hacks that make headlines, dissecting them to learn what went wrong and how their organization can react differently.
Clear Crisis Communications
In the wake of an actual attack, the adrenaline and fear will be flowing. And that, of course, is when the press — and customers — will come calling for an explanation.
Developing and practicing a crisis communications plan can help a CISO avoid embarrassing or damaging missteps when communicating to the public, to customers, and to stakeholders. However, crisis communications is a difficult skill to master. Here are some fundamentals to remember:
- Explain clearly — Tell people exactly what happened and how it will affect them
- Be honest — Don’t lie, obfuscate, or hide
- Show remorse — Apologize for the mistakes that were made
- Don’t minimize — Never dismiss or downplay concerns
- Invite questions — Offer a prepared FAQ and open the floor for questions
- Follow Up — Provide a timeline for providing more answers and context and stick to it
It’s important to note that this crisis communication step is often left ignored in the wake of an attack. It’s easy for a CISO to place their focus getting systems back online. But getting caught flat-footed by an unexpected question — or making things worse with a poor answer — is something that can easily be avoided with proactive practice.
How To Become a CISO
Since it’s a relatively new field, there’s no typical path to becoming a CISO. But if it’s something you’re interested in pursuing, a good first step is to seek out companies you respect for their security efforts, identify their CISO, and learn what you can about their background and education.
Once you’ve gained an understanding of the types of experience you may need, ask yourself what gaps you need to fill in your resume. What education or certifications do you need? What expertise and experience would serve you well once you find yourself in the CISO seat?
Don’t get discouraged if it feels overwhelming. Every CISO working today took years to develop the skills and expertise needed to do their job. So, start small. Read books on cybersecurity as well as general business titles. Sign up for a free class or webinar.
But keep in mind that a lot of what you will do as a CISO is leadership-skill based, rather than security-skill based. Which leads us to our last point:
Why You Might Not Want to be a CISO
Being a CISO requires a passion for the high-level functions of business. That means you need to be actively involved in budgets and balance sheets. If you’re principally passionate about security and don’t feel as strong about how security fits into everyday business operations, being a CISO may not be for you. Seek out other leadership positions instead, such as senior or director roles.
Having a CISO in place is critical, but it’s easier said than done, especially if an organization has competing priorities and stagnant budget. Security operations can help ease those burdens by offering a 24×7 solution with a dedicated security team.
And watch our on-demand webinar, So You Want To … Be A CISO, featuring an exclusive interview with Adam Marrè, Arctic Wolf’s very own CISO.