An insider’s perspective: Who is the best fit for CISO post?
In this era where data breaches have a major setback on organizations due to the eye bouncing penalty, this is where a Chief Information Security Officer’s role becomes vital in upscaling the security infrastructure. CISO is a position which many may envy to indulge in the future and not to mention it is undoubtedly the head of the class in the IT Industry – literally and poetic.
But the million-dollar question is – who can do justice to the role in all its capacity?
As such, it’s a position that requires a recognized track record of extensive experience and knowledge, Awareness and understanding of the enhanced technologies and the eye to every notion of cyber security Industry. I would personally refer to the above statements to be the so-called C-Suite that the eagled corporates look for with in the industry. With the booming of Cyber Security in today’s generation, it still surprises me on most corporate giants on the hierarchy structure or reporting structuring of Cyber Security Officer to the CIO/ CTO where as it should be to the visionary of the organization which is the CEO. That is another topic to debate and may not be able to easily conclude.
In some of the pre-Y2K era pioneer Organizations we would have come across some of the ICT Engineers and IT Project managers turned out CISOs, probably after a major breach and then most of them are operating the cybersecurity function like a pure IT task. This will not help to eradicate the real cybersecurity risks of the company. Cybersecurity framework must not be established to just meet regulatory requirement or to clear Big 4 Checklist and rather it should be designed with an in-depth and futuristic defense in depth model. Only a good CISO can help to inject security aspects in all business elements. It needs a great vision and practical mission.
On the other side of corporate word - especially in recent expanded companies and startups, you may see a different breed of CISO office - with multiple years of experience as security auditor, security engineer, security analyst, ethical hackers grabbing the senior roles such as security director and finally reaching the CISO milestone. While the former technocrats get into these roles to fulfil an audit finding or after security breach and then they learn about security process and its functions, the later typically are with fine-tuned security knowledge from their experience, exposure to latest threat landscape, with security certifications etc.
Now, one must agree there is NO cybersecurity canon that who is the apt candidate to be chosen for this this CISO role. From my experiences with interacting with multiple CISOs in the past from work and consulting roles, I would suggest an experienced IT specialist, be it a programmer or network engineer whose has in depth interests and "aptitude" in cybersecurity can molded to become a senior cybersecurity professional. Such people will understand the IT issues while deploying a security process or employing security solution in to the company’s IT landscape. In this modern era, Management do not wish to see just gaps and audit findings, they need solutions and faster efficient counter measures to detect and prevent any security mishaps from materializing. With a pinch of project management experience, the CISO recipe should yield good results meeting any organization’s cybersecurity risk appetite. At the end of the day, any security investment should be deployed at the earliest and run in the most efficient manner for detecting and preventing any security vulnerabilities from being exploited.
However, in reality we often say any C-Suite roles involves only P&P – "Power Point Slides and Politics", to me a matured cybersecurity KPI matrix and external assurance (ISO27K, SOC2 etc.) should do the lip service for any CISO in the board meetings. On a subtle note, a modern CISO should have strong technical and security knowledge and must be able demonstrate- it is aligned with the organization’s strategic and business objectives.
This article is written By Sachin Babu
Head of Cybersecurity GRC – Oil and Gas Sector Company