To do all that, the CISO needs to be able to communicate effectively. They need to speak the language of business and not fall back on InfoSec jargon. They need to get buy-in from colleagues and directors, which means framing Information and Cyber security in terms non-IT people will understand. When you experience a cyberattack, as you almost certainly will at some point, not only do you need strong leadership, you need clear, unambiguous communication, and you need it swiftly and calmly. So a CISO must also be decisive and measured, able to keep a cool head in a crisis.
If your CISO is a technical whizz but lacks soft skills if they cannot enlist the support and assistance of colleagues or explain the return on investment of Information and Cyber security expenditure to your board, your InfoSec strategy may let you down when you need it most.
A word of caution
Cybersecurity is a relatively new field of expertise, and the CISO role is historically young and still evolving. There is no accreditation authority in South Africa that accredits InfoSec practitioners in the same way accountants and other professionals are certified. Training also tends to be on the job rather than formal. However, the University of the Witwatersrand offers a Certificate in Cybersecurity Professional Practice and Leadership (CPPL) and Certified Chief Information Security Officer (CCISO) provided by the International Council of Electronic Commerce Consultants (EC-Council). But this is not the same as oversight by a South African authority. It can be hard to determine if the candidate in front of you truly has the right skills and experience for a CISO or senior InfoSec role. It’s vital to check references in detail to realistically evaluate the prospect’s capabilities. An under or over qualified appointment can put you at serious risk of weak cyber defences.
Beware of imposters
On a more sinister note, due to the lack of skills and official accreditation, the field is open to misrepresentation, if not outright fraud. It is effortless to fabricate a CV in the absence of a central register of professionals.
We don’t want to be alarmist, but there is a risk that a fraudster is not just posing as a candidate to get a high-paying job. In the realm of cybercrime, you need to be absolutely sure you don’t hire a “hacker” who will mine your data for illicit purposes, hire a person that is part of a cybercriminal syndicate to orchestrate unauthorised access into your organisation or the person hired is just incompetent to fit the role. Anyone with that level of access to your organisation’s critical assets must be carefully vetted. Follow an intense vetting process before employment!
NEWORDER CAN ASSIST
NEWORDER can help you assess your current InfoSec resources and recommend a course of action. For example, we can help you draft a job description and identify suitable candidates for the role of cybersecurity officer or Chief Information Security Officer. Alternatively, if you are not ready to make a permanent appointment, we offer Chief Information Security Officer-as-a-Service (CISOaaS). CISOaaS provides information security leadership from an appropriate pool of expertise and technical resources within IT Governance. In addition, we will provide your senior management team security guidance and drive your information security programme.
For information on CISOaaS and the NEWORDER full range of Information Security and Cyber Security services, contact us today for a no-obligation discussion.