The True Definition of a CISO and Why You Need One (it’s keeping you up at night!)

The Challenge:

A cyber-attack on your business is not a matter of if, but when.  The nature of corporate asset value has changed significantly, shifting away from manufacturing items and towards virtual services and data; we all have digital assets and IP at risk. Leading com panies are now viewing cyber risks in the same way they do risk management – in terms of a risk-reward trade off.  Seemingly overnight, cyber security has evolved from an important enterprise function into a strategic and operational board level critical issue that affects almost every aspect of business and information technology.

The Solution:

Fractional Chief Information Security Officer (CISO)

One recent study found that 80 percent of the total value of the Fortune 500 now consists of intellectual property (IP) and other intangibles.  Along with the rapidly expanding “digitization” of corporate assets, there has been a corresponding increase in corporate risk.  Accordingly, policymakers, regulators, boards, shareholders, and the public are more attuned to corporate cybersecurity risks than ever before.  Organizations are at risk from the loss of IP and trading algorithms, personal identity theft, destroyed or altered data, declining public confidence, harm to reputation, disruption to critical infrastructure, and new legal and regulatory sanctions. Each of these risks can adversely affect competitive positioning, stock price, shareholder value and careers.

This is especially challenging in the cyber arena for two reasons.  First, the complexity of cyber threats has grown dramatically. Corporations now face increasingly sophisticated attacks that outstrip traditional defenses and intellectual knowledge. As the complexity of these attacks increases, so does the risk they pose to corporations.  As noted above, the potential effects of a data breach are expanding well beyond information loss to include significant damage in other areas.  Second, competitive pressures to deploy increasingly cost-effective business solutions often affect resource investment decisions.  These two competing pressures on corporate staff and business leaders mean that conscientious and comprehensive oversight at the board level has become essential.

The biggest challenge of cyber security is the quickly and constantly evolving nature of the various security risks themselves. Getting a handle on the current environment – including external cyber-attacks, internal employee access, and choosing the right technology tools – is heaping additional pressure on already overwhelmed IT departments.

Through this evolution, a new role has emerged – the Chief Information Security Officer (CISO).

Most organizations are not prepared to invest in full-time CISO.  According to Salary.com, the 2014 total compensation for a CISO is $251,904.  Compensation aside, the CISO is not an individual. Why?

McKinsey & Partners:
“The risks of cyber-attacks span functions and business units, companies and customers. And given the stakes and the challenging decisions posed by becoming cyber resilient, making the decisions necessary can only be achieved with active engagement from the CEO and other members of the senior-management team.”

TrendMicro:
“It’s not easy being a CISO. On one hand, there’s the ever-present challenge of facing the board – struggling for extra budget dollars that doesn’t exist and trying to articulate security threats in business terms to a non-“techie” audience.  Then there’s the threat landscape itself. Ever-changing, ever-advancing while the CISO’s resources remain static, and executed by an increasingly agile, resilient, well-funded and sophisticated enemy.  Viewed in these terms, the CISO is probably one of the most challenging roles in modern business.”

Bottom line, security and compliance are a balancing act with business needs.

What’s the answer?  A Fractional CISO.   An FCISO should be a functionality, rather than an individual;  multiple professionals providing a function.  The traditional CISO is an individual with that is either a security expert or has IT experience.

What this means to you is having a fractionalized team of professionals whose expertise extends beyond the role of a cyber-techie, to assist leadership and the Board as it wrestles with the complex issues of risk management, compliance, and the “needs of the business.”

@TomHulsey