Does your company have a CISO or a CSO? You might need one.
INSIGHTS: from the Naked Headhunter
We’ve all read the headlines. Sony hacked; Apple hacked; massive dump of Google docs occurs after hack; etc. We’ve read the countless articles on election tampering due to breaches and bot-driven information dissemination. That said, business executives have to admit that we live in an increasingly data+information-driven world and the data that shapes our business know-how and intellectual property is some of our most important assets. So, just as you wouldn’t leave cash sitting on the desk in your office, isn’t about time that you make sure you have someone executing a strong strategy for protection of your data assets? That person would be your Chief Information Security Officer (CISO); sometimes referred to just as a Chief Security Officer (CSO).
I decided to raise this issue, because it’s one that continues to pop up in various conversations I’ve been having with business executives and organization leaders. Do we need to appoint someone as our company CISO? Is there even an industry standard for such a role and what should we expect of this person?
My short answers are “Yes” and “We’re learning.” I believe that as long as your information assets and your intellectual property are key to your business’ success and growth, you need to have a strategy to protect it as well as someone to define and implement that strategy. As for a common norm for what an information security officer should do and how they work with an executive board, that role is evolving as businesses learn to deal with information security needs and come to terms with potential security threats.
Below, I’ve put together a list of critical skills a CISO needs and would love to hear your feedback on your personal experience in seeking candidates for such roles. What has your experience been in finding talent to protect your most valuable data assets?
Skills your CISO needs to have…
- Knowledge of the functioning of standard operating systems, network engineering and how business apps (both internal and mobile) run across the enterprise.
- Understanding of the security challenges of newer technology trends (cloud computing, BI and Big Data, BYoD set-ups and usage of social media).
- Insight into behavioural psychology – why tech users behave the way they do and what might motivate both internal and external security breaches or data hacks; also, what motivates hackers.
- Comprehension of business processes and how security policy impacts the day-to-day of business tech operations. Security measure can’t come at the cost of slowing business efficiency.
- Argumentary/persuasive skills in order to convince board members of the value of his vision for business information security – ability to convey security concerns in board-level language.