The person in charge of your cybersecurity program is often called the Chief Information Security Officer, or CISO.
About the CISO Title, and Why It Matters
The CISO title is largely externally-facing. It’s an important statement to the market about how seriously you treat cybersecurity.
But the person in this position should also be titled according to their location in the organizational chart. That might be a manager, director, or vice president. The internal title you give to this role is a statement to your staff about how seriously you treat cybersecurity.
Qualifications for the CISO Role
It used to be that the CISO was a person with a highly technical background. So, it was only natural to place the CISO inside the IT department.
But because of the increasing criticality of the role to the overall performance of the organization, that doesn’t make as much sense these days. And it will make less sense in the future.
It’s more appropriate for the CISO to report to the CEO, General Counsel, or COO. And, it may make sense for the CISO to be an attorney or an executive business manager.
The person in the CISO role must be a visionary, a manager, a leader, and an expert in the business of their organization.
No matter the title or location on the organizational chart, the CISO has some unique responsibilities that cannot be delegated.
Cybersecurity Program Vision
Setting a program vision is uniquely the program leader’s duty and it’s essential.
When the CISO shares their vision of the future, they will engage people emotionally with the cybersecurity program.
Not only that, but the culture of the CISO’s staff will also spring from their vision. By culture, I mean the values and norms everyone follows.
The CISO will also use the program vision to set individual and team performance expectations. A well-defined vision can help staff find the motivation to achieve the big things that are expected!
Otherwise, Your IT Security Weakens
Without a program vision, it’s difficult for people to connect with the program. They may become disengaged from their work.
This includes both the CISO’s staff as well as everyone else in the organization – particularly the first level supervision and the individual contributors.
And that will make the CISO’s job more difficult.
Example Program Vision
The last time I was a Chief Information Security Officer it was for an insurance company. Because of the culture of our company, we called it our Purpose rather than our Vision; it resonated better with our internal customers.
During the creation of our Purpose statement, I involved members of my team and our most important stakeholders, such as senior executives.
As I told my staff at the time, our Purpose needed to be bold and guide all our actions. So, we wrote our Purpose statement to be thought provoking to ourselves and the people who depended upon us.
After a process lasting about two months, our purpose was stated as:
Peace of Mind is Our Profession
Our Purpose statement tied our program to the larger organization. Being insured does bring peace of mind just as a good cybersecurity program does.
Set Program Goals
Another duty that is uniquely the CISO’s is to set the high-level goals of the program.
With goals in place, you can clearly explain to people how your program helps your larger organization win.
Goals will also guide you in the organization of your own people, processes, technologies, and management.
Example Program Goals
Based on conversations I had with our senior executives, here are the program goals I set at the insurance company, in priority order:
- Support the business strategy and objectives of the company
- Protect the critical information and information systems of the company, including our reputation
- Comply with applicable laws, regulations, and industry standards
- Maintain and enhance our trusted relationships with all stakeholders, including customers, partners, suppliers, and employees
- Enhance our company’s competitive position by securely supporting and enabling new products and services, and acquisitions
- Promote cybersecurity education, training and awareness throughout the organization
What Can Be Delegated?
So, the CISO can’t delegate vision or goal setting.
But, for all the rest of the work, the CISO must delegate as many responsibilities and tasks as possible.
Delegation is necessary so the CISO can focus 25-30% of their time on the strategic management of the cybersecurity program. This means knowing the organization’s top cyber risks and working with other executives to manage them.
The CISO must not neglect this duty in favor of the tactical and operational aspects of the cybersecurity program.
Plus, cybersecurity program staff members can grow by taking more responsibility for the non-strategic workload.
Outsourcing Cyber Risk Management?
In the next post, I’ll talk about how to determine which work should stay in-house, and which tasks or duties can be outsourced.
Cyber Risk Opportunities helps middle market companies build strong, cost-effective cybersecurity programs to prioritize and reduce your top cyber risks, including the specific requirements of PCI, HIPAA, SOC2, ISO 27001, DFARS, and more.
Get in touch today to learn more and take advantage of a free 30-minute Q&A session with one of our cyber risk experts. Call 253-332-7867, or email us at firstname.lastname@example.org.