July 31, 2020//Ellen Neveux
More and more companies are hiring Chief Information Security Officers (CISOs) to navigate the rough waters of cybersecurity. The need for CISOs in enterprise organizations is at the height of importance with the increase in both ransomware attacks and data breaches. Again, we’re not going to be the first ones to tell you that the days where data breaches, ransomware, and other forms of cyberattacks were rare are gone. Cyberattacks have an observable, but rarely reported effect on CISOs. With the almost daily data breaches, CISOs are realizing that there is a huge target on their back when (not if!), a data breach occurs.
A little dirty secret of the IT industry is that many people within an organization don’t actually know what a CISO does. However, those that do, see “information security” in the title of the job, and expect certain things. Because of these expectations, when IT failures occur fingers are often pointed in the CISO’s direction first. It stands to reason that anyone who manages information security should be accountable when a lapse in cybersecurity allows a data breach or ransomware attack.
Though a CISOs responsibilities may differ from company to company the core role is well defined; a CISO is essentially a senior-level executive who’s responsible for executing and overseeing the company’s cybersecurity strategy. So it stands to reason that the CISO role is often held accountable when a data breach, of any form, occurs. In fact, according to a survey reported by Tripwire, 21% of IT decision-makers would most likely blame a data breach on the CISO. The CISO isn’t the only one that’s seen as being accountable, of course; it is seen as the second finger that gets pointed, after the one that’s pointed at the CEO, of course. This goes a long way in explaining why the average tenure of a CISO is a mere 18 months. A CISO’s time may be short, but the potential impact of their role is mighty—data breach recovery can cost a company over $3 million in recovery and $1 million to discover a breach.
The CISO position isn’t really talked about in mainstream media, that is until a cyberattack is in the news. In other words, all news is bad news: whenever you get a notification, see a Tweet, or read an article about an organization getting breached, you’ll hear a CISO’s name.
CISOs have an incredibly difficult job because they’re expected to be able to secure an enterprise or organization from all angles and at all hours of the day. This is why when a cybersecurity issue arises, the fingers are pointed directly at the CISO.
When a breach or ransomware attack occurs, consumers want to see that the person responsible for the attack is held accountable. Breaches are often the fault of an institutionalized failure of policy and not that of a single individual, however, because the policy often falls to the CISO, a CISO may lose their job in order for an organization to preserve their reputation with its consumers. Hence the average 18-month ticking clock.
Not only does a CISO have to worry about their actions, but they are also accountable for their team if it were to fail to detect or respond properly to a breach. CISOs are also expected to manage issues external to the company (e.g. those faults of a partner or third-party vendor) as well. Imagine an example where a third-party weakness is found that allows a bad actor to get into a network and cause measurable harm. A CISO will, more likely than not, be held accountable for this security failure.
Worse still, are the outliers: like the story of the Uber CISO participating in a data breach cover-up. A breach looks bad enough for a company, but a cover-up can destroy an entire company’s reputation.
It is difficult to talk about a CISO’s role without also mentioning compliance. A CISO is often responsible for monitoring regulatory compliance for whatever industry they operate in. No matter the regulatory standards in place, adherence to the compliance standards is expected. And this responsibility falls to the CISOs and they are expected to handle it all—from making sure the third-party vendors are granted proper privileges to educating employees on the nuances of phishing emails.
Because the CISO role is often on the chopping block in order to send a message after a public data breach, a CISO should act to preempt and anticipate failures in IT security.
A CISO should never feel alone in their quest to keep their company safe. To learn more about the importance of implementing the right tools to have a full cybersecurity platform that keeps your company (and your job) safe, check out our helpful brochure about implementing a standardized vendor management platform.