Why More Companies Are Looking for a CISO


A growing number of web and data threats has companies scrambling to find someone to take charge.

Since the birth of computing, there’s been a need for the “IT-guys,” the ones you could call when an issue required technical assistance and would come running to the rescue. But with the dotcom boom of 2000, this need has spiked even more. Not only has technology changed from centralized computer centers to cloud environments, but hackers’ strategies for attacking have become increasingly complicated. While IT geniuses used to be portrayed in popular TV shows or movies as hooded loners in basement corner offices, now the IT department is an integral part of any enterprise dealing with sensitive and valuable information. In fact, some companies are going as far as to place a Chief Information Security Officer, or CISO, in their c-suite.

While many ask if there really is a need for a CISO when you could simply have an IT-manager to look over the security of the organization, more companies are scrambling to find someone to take charge of this sensitive area, and we stand behind them in that choice. Here are three reasons that hiring a CISO can work in your company’s favor.

Preventing Damage Before It Happens

First and perhaps most obviously, a CISO’s job is to make sure that the information and assets of a company are secure. Unlike Chief Security Officers (or CSOs), a CISO has the added responsibility of making sure that digital assets are protected. This makes life a bit harder as digital assets don’t have a tangible presence, meaning that simply locking it in a safe and guarding it won’t do much in terms of security.

There are various things that CISO can do after an incident in order to take care of the damage, but a large part of being a CISO involves setting up protocols so that damage can be prevented before it even happens. For example, they can set up access controls so that only a select few at the corporation have access to certain servers and permissions, backup storage regularly, and utilize encryption solutions to protect sensitive data. CISOs are also the ones that have the final say in which web or data security solution to go with; whether it’s a web application firewall (WAF) or WAF service, data encryption solution, or a multi-factor authentication system, the CISO has it under control.

executive-2051414_1920Aligning Security Policy with Business Outcome

However, at this point you might say that the above is something that even an entry-level employee could do, if given the time and resources. However, most will agree that in any company, there’s a large gap between different departments. The IT department may not understand sales, business development might not understand web developers, etc. These miscommunications may be from the language, demeanor, or even the strategic mindset that the other may hold. While before, security managers were mainly technical in nature, at the end of the day, the corporation must stay financially viable in order to continue. Therefore, now the CISO must have both business and technical skills and ultimately be the senior-level executive who’s responsible for balancing the technical policies along with the business factors.

He or she is, in a way, a bridge to connect the gap between the two sides. A CISO offers a unique perspective on how to deal with the risks and dangers of data breach that neither side may be able to grasp. The CISO is a difficult position to fill because of this balance of business and technical: most corporations look for someone with an academic background in information security and/or business with CPA, CISSP or PMP certifications, OWASP or CISO forum memberships, as well as 10+ years of experience in information systems leadership. Not an easily acquired curriculum vitae.  

The Face of Security

Last of all, having a CISO for the organization tells the world that your company stresses the importance of valuing customer data. While other companies may be fully capable of dealing with vulnerabilities and threats on their own, customers can gain a tremendous amount of respect for a company if they’re able to see publicly and visibly that there is someone working on the company’s behalf to secure their sensitive information.

Many CISOs will work inside the office as well as outside to educate partners and the general public on information security issues. Other companies may see this and also be encouraged to hire their own CISO. If companies start to prioritize information security as much as they do finances, executive administrative duties, and technology and put a face to information security among the top level of executives, perhaps the entire world of business and industry will start to put security at the forefront of business decisions.