Does your organisation have a Chief Information Security Officer (CISO)? Are you thinking of appointing one? Whether or not you use the term CISO, you probably have someone responsible for Information and Cyber security. So how do you know if you have the right person for the job? And what are the risks if you don’t?
The CISO role is relatively new within the last 25 years, and in that time, it has evolved, just as cyberthreats and cybersecurity have evolved. See our blog post on the cyberthreats to look out for in 2022, and you’ll see why it is so important to have someone responsible for your cybersecurity at a senior level.
It’s easy to see why a system administrator or other IT professional might be earmarked for a cybersecurity role. After all, a CISO (or whatever you choose to call the role) needs an IT, Information and Cyber security background, familiarity with the latest industry detection, protection and incident response technologies, with a good understanding of security frameworks and standards. There is a lot of overlap/competition with other roles, such as Chief Security Officer, Chief Information Officer, or Chief Risk Officer. An IT professional whose ambitions to be CIO have been thwarted may well target the CISO role instead.
However, if you appoint (or promote) your CISO only on this basis, you might be missing out on some critical skills and competencies needed in the job. The CISO role is multi-faceted, and soft skills and leadership qualities are as essential as technology skills.
Your Information and Cyber security strategy need to align with your business strategy. What are your key business risks and vulnerabilities? What processes are critical for business continuity? Not all cyber threats are equal. Some pose a much greater risk to your business than others. If your CISO does not have a thorough understanding of your business, you might find you are protected in less key areas but exposed where it really matters.
If Information and Cyber security responsibilities are not senior enough, it won’t have any clout with the board. Ideally, the CISO should be part of the C-suite. Therefore, leadership skills are essential, along with an ability to strategise and advise. The CISO needs to be able to convince senior colleagues of the importance of investing in Information and Cyber security and the value it can bring to the organisation. Furthermore, Information and Cyber security must be an integral component of business strategy.
Leadership concerns have been raised in online publications where NEWORDER has provided inputs. Further reading of these publications can be found in our blog section;
To do all that, the CISO needs to be able to communicate effectively. They need to speak the language of business and not fall back on InfoSec jargon. They need to get buy-in from colleagues and directors, which means framing Information and Cyber security in terms non-IT people will understand. When you experience a cyberattack, as you almost certainly will at some point, not only do you need strong leadership, you need clear, unambiguous communication, and you need it swiftly and calmly. So a CISO must also be decisive and measured, able to keep a cool head in a crisis.
If your CISO is a technical whizz but lacks soft skills if they cannot enlist the support and assistance of colleagues or explain the return on investment of Information and Cyber security expenditure to your board, your InfoSec strategy may let you down when you need it most.
Cybersecurity is a relatively new field of expertise, and the CISO role is historically young and still evolving. There is no accreditation authority in South Africa that accredits InfoSec practitioners in the same way accountants and other professionals are certified. Training also tends to be on the job rather than formal. However, the University of the Witwatersrand offers a Certificate in Cybersecurity Professional Practice and Leadership (CPPL) and Certified Chief Information Security Officer (CCISO) provided by the International Council of Electronic Commerce Consultants (EC-Council). But this is not the same as oversight by a South African authority. It can be hard to determine if the candidate in front of you truly has the right skills and experience for a CISO or senior InfoSec role. It’s vital to check references in detail to realistically evaluate the prospect’s capabilities. An under or over qualified appointment can put you at serious risk of weak cyber defences.
On a more sinister note, due to the lack of skills and official accreditation, the field is open to misrepresentation, if not outright fraud. It is effortless to fabricate a CV in the absence of a central register of professionals.
We don’t want to be alarmist, but there is a risk that a fraudster is not just posing as a candidate to get a high-paying job. In the realm of cybercrime, you need to be absolutely sure you don’t hire a “hacker” who will mine your data for illicit purposes, hire a person that is part of a cybercriminal syndicate to orchestrate unauthorised access into your organisation or the person hired is just incompetent to fit the role. Anyone with that level of access to your organisation’s critical assets must be carefully vetted. Follow an intense vetting process before employment!
NEWORDER can help you assess your current InfoSec resources and recommend a course of action. For example, we can help you draft a job description and identify suitable candidates for the role of cybersecurity officer or Chief Information Security Officer. Alternatively, if you are not ready to make a permanent appointment, we offer Chief Information Security Officer-as-a-Service (CISOaaS). CISOaaS provides information security leadership from an appropriate pool of expertise and technical resources within IT Governance. In addition, we will provide your senior management team security guidance and drive your information security programme.
For information on CISOaaS and the NEWORDER full range of Information Security and Cyber Security services, contact us today for a no-obligation discussion.
