The Chief Information Security Officer role (CISO), is the most senior cyber security role in any organisation. With more customer data gathered and stored than ever before, the risk of implementing a sub-par security strategy effects every level of the organisation.
In situations where customer information is compromised by malicious actors, the reputational damage to the business can prove fatal to the CISO’s position.
With significant risk comes significant responsibility. With this in mind Acumin Consulting – premium cyber security recruitment provider to FTSE 250 organisations caught up with Howard Pinto and Bryan Littlefair about their previous CISO stewardships in organisations such as QBE, Vodafone and Aviva to find out what really kept them awake at night in this high-pressure role.
If we consider the CISO as the most dangerous job in security, what motivates those to take it on, and what is required to be truly successful in a senior management role in security?
Being agile in response to threats whilst keeping to security programme deadlines is near impossible without significant resource that comes with sign-off from the board. Aligning security strategy to wider business strategy is undoubtedly complex; but necessary to have real impact;
Influences on the CISO’s design of security strategy comes from organisational and market factors, as with any executive role. We are living in an increasingly challenging world for security professionals, threats are developing and the rate of digital transformation within organisations is only increasing the surface area for attack. Regulatory changes such as GDPR have also more recently had a large effect on organisational approaches to customer data protection.
As organisations are moving toward a more mature model of managing risk, many are still acutely aware of the increasingly sharp teeth of the regulators, especially for businesses within banking, financial services and insurance. As regulators are looking for and more integrated strategies, the disciplines the CISO needs to manage diversify to more and more areas of the organisation.
Ensuring the sustained interest of the board is likely the key challenge most CISO’s recognise that impacts the effectiveness of their team, especially in organisations split across multiple locations or countries.
CISO’s face a potential pitfall as organisations wake up to a need for a significant cyber strategy – how that works with not only the board, but the wider executive team.
It is important, and it’s a trap many CISO’s and security teams can fall into – not being seen as the team that only becomes useful in times of crisis.
Every business needs to be able to take risks, otherwise they don’t advance. For many CISO’s making sure security is not a barrier to progress is a personal challenge.
The tug of war between insuring that relevant risks have been identified, and the right approach has been taken in managing or mitigating them, while balancing with business needs is challenging. The impact of a negative opinion of a CISO that is prohibitively risk averse, can derail relationships with executives.
Whilst every business area will submit a risk appetite statement, these have to be aligned with the board’s priorities. Quantifying the value of cyber security risks is an important consideration that CISO’s should consider if they want their needs met.
Traversing who should be responsible for security risks in the organisation needs a Swiss army knife approach. For many security teams, there is an appreciation that security is not just the responsibility of the CISO. As all businesses are acting in a dynamic landscape, unless you have effective education at every level in the organisation you can’t beat the myriad threats out there. Every organisation is at risk from being taken advantage of by a hacker, their ability to execute that depends on how staff react, not just security teams.
Awareness programmes and staff education play a large factor in this, as does limiting the ability of staff to fall foul to attack via access rights. Getting buy-in from executives and senior managers can be difficult if the evidence for such an extensive risk mitigation strategy is yet to be proven necessary due to an incident.
Cyber security management has a much larger role in the organisation than being a foghorn for threat announcements, and the ways in which CISO’s interact with other execs is significant.
One relationship that can hinder a CISO’s security strategy is that with the business’s CIO. In most businesses, the CISO reports into the CIO, or they interoperate to a significant extent. For many organisations, budgets and priorities between these two executive positions are not aligned. The ability for a CISO to collaborate is vital.
This can come into practice with simple processes such as patching where delays mean security issues could arise, but the CIO is directly incentivised by limiting downtime and ensuring the delivery of products to the business, and customers.
It’s clear the CISO has a great many strategies to consider, not least in managing internal relationships. Finding the right executive culture that recognises security strategy as integral to business growth is increasingly important, given the industry landscape of increasing regulations and diversity of threats.
Understanding what skills are necessary to drive strategy through every level of the organisation is a difficult challenge for those looking to hire their next CISO. The role is no doubt in part a communications role. The value of the CISO is in their ability to translate risk into something that resonates with the receiver.
This is particularly relevant to talk about considering the amount of CISO’s in position with a non-technical background. In the case of the two CISO’s interviewed here, their technical experience is the backbone of their career tenure. The extent to which these skills are strictly necessary is debatable. Influence is what is clear to drive results in the boardroom; and with fellow executives.
Acumin works with organisations to hire the best cyber security talent in the market, with a particular emphasis on global executive search. To learn more about our approach to recruitment in security, visit us here.
Established in 1998, Acumin has grown with the cyber security industry. Over two decades, we have become the first choice cyber security specific recruitment consultancy for some of the world’s leading brands. We provide the expertise to protect your most valuable assets.
Our highly trained consultants are subject matter experts, who provide an advisory service tailored to your requirements.
To learn more about our Global Executive Search services, visit our website.
0203 119 3333
Send us your CV and have our recruiters match you to the ideal opportunities
Do you already have an account with us?
Log inWant to have an account with us?
RegisterWant to just send us your CV?
By submitting your registration and CV to us you are agreeing to join our database and to be contacted about relevant jobs industry communications. Please read our terms of business for more information.