Toreon Office | Grotehondstraat 44 1/1 - 2018 Antwerpen | +32 3 369 33 96
The challenges of a CISO
In this digital era, information security is facing exponential threats, in their numbers and complexity. The role of a Chief Information Security Officer (CISO)? Face these challenges and protect the organization against cyber attacks and data breaches.
Companies, especially scale-ups that are growing rapidly and adapting to the ever-changing technological landscapes, need strong information security.
Full video: 43 min
In this episode of ‛The Wide Open’ podcast, Siebe De Roovere welcomes two of his cybersecurity colleagues: Senior Consultant Thomas Dejagere, and Eric De Smedt, Head of our Governance, Risk & Compliance team with more than 30 years of experience under his belt.
What is a CISO?
Excerpt #1
Over- or under-secure? You need to find that balance.
A CISO (Chief Information Security Officer) is responsible for the security of valuable assets within an organization. CISOs are the last line of defence in protecting these assets against potential threats. The role of a CISO varies depending on the company and organization size.
In large organizations, this role is often full-time and requires more specialisation, financial means and team members. In this case, the CISO acts as the bridge between the technical teams and the business department. Achieving a balance between technical expertise and an understanding of the business objectives is crucial in this role.
For smaller organizations, the CISO’s focus is often on building a solid foundation. This includes a baseline measurement to
- identify the risks;
- develop a roadmap;
- and draw up strategies to improve security.
While technical knowledge is still important at that stage, the CISO also has a broader role to play in this context. More specifically, he or she must focus on the organization’s growth and future ventures.
A CISO’s role is not just about IT; he or she also focuses on the business aspect. The CISO needs to have a voice in the boardroom, because information security also entails risks, such as reputational damage. Finding the right balance is essential, as both an over-secured and under-secured organization can have negative consequences.
In short, a CISO needs to:
- think strategically;
- be mindful of business needs;
- and implement proper security measures to effectively protect the organization.
How do you go about defining a security strategy?
Excerpt #2
A security strategy is a continuous process with regular evaluations and adjustments.
A security strategy starts with a thorough analysis of the business processes. It’s important to understand:
- what these processes entail;
- how they contribute to the business objectives;
- and how the organization wants to evolve.
Since the critical processes are an extension of the business objectives, you need to identify them accurately.
Conducting a maturity assessment is the next crucial step. There are various frameworks for this, such as the CIS (Center for Internet Security) Controls Framework, which can serve as a guideline. The maturity assessment allows you to identify the cybersecurity risks and key focus areas.
A strategy is developed on the basis of this analysis and risk assessment. Often, the ISO 27001 framework is also used: it provides a structured approach to the implementation of security measures. This framework can serve as a guideline to implement the strategy in a systematic and organized manner.
Understanding the business processes, identifying the risks and applying the right frameworks and strategies can help define and implement an effective security strategy. It is an ongoing process that requires regular review and adjustment to keep up with the organization’s ever-changing threats and needs.
How do you define which areas are most important for a company?
Excerpt #3
Never waste a good crisis.
Determining the most important areas requires a thorough analysis and evaluation of the potential business risks. It is important to identify which threats are real and predict their potential impact if they occurred. This can be done by means of a risk assessment, which involves the participation of management.
The choice of key areas depends on the company’s attitude to risk. Companies that prefer to avoid risks are more inclined to focus on measures to mitigate them.
A challenge for a CISO is convincing management to budget for security measures, especially when they may not have sufficient understanding of the risks. It is the CISO’s job to translate these risks into understandable terms and examples that are relevant to decision-makers. By giving concrete examples and making the impact tangible, the CISO can emphasise the importance of cybersecurity. The quote “Never waste a good crisis” certainly applies here: incidents and crisis situations can be used to underline the importance of adequate security.
Consumers are attaching more and more importance to cybersecurity. Since a certain level of trust is a plus for customers, it can give the organization a competitive edge. In the retail sector, for example, customers are more confident and more likely to purchase from a trusted website. Failure to implement certain basic security measures, such as using HTTPS, will have a negative effect on your customers’ trust. And therefore on your business. That’s why it is essential to emphasise the business benefits of cybersecurity and make the link between security and achieving business objectives.
How do you roll out a security strategy?
Excerpt #4
As a CISO, you can’t close all the gaps at once.
Defining your strategy is an important step, but it’s just the beginning. Once you’ve developed a strategy, you also need to roll it out. And, of course, this entails potential pitfalls.
In the case of small organizations, which do not employ a full-time CISO, data protection is often assigned to the CTO (Chief Technology Officer). Usually, though, the CTO already has a lot on his plate and security therefore often ends up on the back burner. This remains a challenge, as there is no full-time focus on security.
To address this issue, an external CISO can be brought in depending on the company’s needs. The CTO/CIO and CISO must work together to make sure a sound security policy is drawn up and to monitor each other. In smaller companies, the CISO is often someone with a broad knowledge of different aspects, as resources are limited. An external consultant can help by providing additional expertise.
In larger organizations, security initiatives often come from the bottom up, from technical teams. But these initiatives do not always take business objectives into account. That’s why it is important for the initial direction to come from top management, at executive level. In addition, people who can implement the strategy are also needed.
A CISO looks at this in the context of business risks and priorities. Since solving everything at once is impossible, a CISO must be able to create and stick to a list of priorities. It is not always necessary to close all vulnerabilities; rather, the right gaps should be filled based on the set priorities.
The roll-out of a security strategy therefore requires close cooperation between various stakeholders, such as the CTO/CIO, CISO and senior management. Understanding the specific needs and risks of the organization, setting priorities and carefully implementing security measures are crucial in ensuring an effective security policy.
What makes a good CISO?
Excerpt #5
Relationship building is very important for a CISO. And you can’t do that by sitting in your office.
What if the business department itself informs that something is critical? As a CISO, the initial reaction shouldn’t be to say no, but listening to needs is essential. What does the organization want to achieve and how can we achieve it safely? Building relationships is paramount in this situation.
A good CISO has project management skills to successfully draw up a roadmap, within the allotted time and budget. In addition, a good CISO understands the social aspect within a company. This is not something you can observe from an office. Building relationships, with the technical people as well as the business department, is crucial. It’s important to know what frustrates employees the most. A CISO should not be too technical, but should have enough technical knowledge to check things and not accept misleading information.
More from The Wide Open
Written by Laurent DupontThe CRA promotes innovation and cybersecurity in European digital products. Learn how your company can comply with applicable standards.
Written by Laurent DupontIn the fifth episode of The Wide Open, we welcome two experts, Jasper Hooft and Thomas Dejagere, who delve deeper into the…
Written by Süleyman YilmazA CISO is the last line of defence to protect your assets. What’s the CISO’s role? And what makes a good CISO?
Written by Süleyman YilmazTech companies go through 3 stages. Which cybersecurity issues do they face at each stage? We cover it all on this edition…
Written by Süleyman YilmazPlanning to develop your own application? You might want to consider the many possible pitfalls. We explain them in this article.
Written by Süleyman YilmazWant to integrate a cloud solution without a strategy? That’s risky. Check out what you need to do to grow your business…
Do you have a specific question about CISOs?
Contact us, our security experts would be happy to assist you.
Do you have a specific question about CISOs?
Contact us, our security experts would be happy to assist you.