The fact that many large retailers did not have a designated Chief Information Security Officer (CISO) was a large issue in the media reports of recent retail breaches. It may have contributed to the ease with which some of these hacks were performed. Cybersecurity is very important in the company. The legislation is now working to fill this gap in certain industries by mandating that a CISO be a named individual within companies. Some legislation, such as the General Data Protection Regulation (GDPR) in Europe, requires that a position of Data Protection Officer exist as well.
Large corporations have been under fire for not having a designated CISO as part of their executive leadership team. Not having a CISO role in your organization can negatively impact you at many angles: From genuine cybersecurity breaches to a poor response to a breach, to negative press about the lack of this function.
From a financial reporting standpoint, the Sarbanes-Oxley (SOX) Act requires accurate and transparent financial reporting of USA-based companies, and being able to prove that financial records have not been tampered with is an important piece of meeting those requirements. SOX and cybersecurity are joined at the hip in that regard.
If you are a business owner or executive, you already know that tying a person’s compensation to his performance is part of getting good results from your employees. This is what commissioned sales is all about. Most companies have someone who oversees sales; someone who heads operations, someone who leads finance, and someone who manages HR. Even if you don’t have specific individuals assigned solely to those functions, certain people are responsible for them. If sales are down, you know whom to speak with to devise a plan of attack, plain and simple.
Depending on the size of your organization, you might have in-house legal counsel, or you might outsource that function in the form of an attorney-on-retainer. You might have a head of IT, or you might outsource that as well to a managed services provider. An in-house or outsourced approach is okay, as long as those resources are available to you when you need them.
Cybersecurity is a responsibility that spans all aspects of a company. If someone needs technology to do his or her job, that person needs to have a basic understanding of cybersecurity.
Who is responsible for the cybersecurity aspects of your organization? Does that person’s job description include a bonus plan for meeting certain previously agreed upon cybersecurity goals for your company, such as meeting PCI compliance guidelines, becoming ISO 27001 certified, or meeting GDPR requirements? You are a business owner or executive, and getting too far into the weeds on cybersecurity is unproductive.
However, you must have someone as part of your core team who knows those acronyms inside and out. It is okay if that person is in-house or outsourced. Various firms specialize in providing advisory services to businesses that need a CISO, but not on a full-time basis.
How do you fix this issue? Create the role of Chief Information Security Officer in your organization. Decide if this is a full-time or part-time position. Finding someone who genuinely understands your organization’s competitive advantages is critical. There is no “one-size-fits-all” solution to cybersecurity, and if implemented in a manner that causes a poor end-user experience, cybersecurity can do more harm than good to the bottom line of your organization.
It is critical to find a CISO that can help you understand the minimum you need to do to reduce your cybersecurity risk to a level that is acceptable to you. This person should understand your industry and your business well enough to suggest ways that cybersecurity can be a competitive advantage.
Many companies, including some large companies, ask their Chief Information Officer (CIO) to also take on the responsibility of CISO. We are not an advocate of this approach. The conflict of interest is obvious: many things that are very good for a strong cybersecurity program are not very good for a system administrator’s ease-of-use to access your servers, or for a developer’s ease-of-programming a new feature into an application.
It would be much easier for an administrator to directly access any server from anywhere on the Internet rather than going through a Virtual Private Network (VPN), but doing so opens up a large security hole. If a developer did not have to check their code for common vulnerabilities that hackers exploit, they could possibly get more features into an application more quickly, but those features may lead to a security breach.
It is helpful to visualize this issue in terms of building a car: if we took crash testing and vehicle safety off the table for automobile design, cars would be cheaper, lighter, more fuel efficient, and even perform better. The downside of doing this would be more serious injuries when accidents occur, and more automobile-related fatalities on the road. This is, of course, unacceptable, so crash testing and vehicle safety are critical design aspects of any car. Normally, a head of safety for any new automobile design works in a “healthy tension” between the people in charge of vehicle performance, vehicle fuel efficiency, and vehicle price.
To put one person in charge of more than one of these areas creates an obvious conflict of interest. Similarly, if you put one person in charge of both your information technology as a whole and your cybersecurity program, that person will face the same conflict of interest.
Finally, it is critical that everyone in your company knows who is responsible for cybersecurity. Employees need to be trained on what issues to bring to this person’s attention (or to the attention of the group that reports to this person), on how the company defines success when it comes to cybersecurity and the role that they play to keep your company safe from cyber threats.
To summarize, your company needs a CISO, either an external part-time contractor or a full-time team member. This person should not report to your CIO (or be your CIO). This person needs to have a strong understanding of how your organization works operationally, not just technically. Your CISO needs support from you and your executive team in order to incorporate cybersecurity as part of your company’s culture. Your team needs to know who the CISO is and how to make contact with this person if a cyber incident is suspected.
