According to a study by Germany’s digital trade association Bitkom, one in three companies has already been a victim of data theft. No wonder there’s such strong demand for security experts – especially as increasing digitalisation has made companies much more dependent on a secure technical infrastructure.
So it looks like IT security specialists have a very rosy future ahead of them. Yet these managers, who are supposed to implement effective risk management to protect their companies’ confidential data, are not seen as being particularly important. And this is despite the fact that they have seen a disproportionately huge growth in their responsibilities. Often, the IT manager assumes the role of the chief information security officer (CISO), especially in small and midsized firms. But the wide-ranging duties of a CISO can’t just be tacked on to the manager of the entire IT infrastructure. The multiple security-related controls and proactive data protection tasks are bound to fall victim to the problem of scarce resources in these companies.
That’s why it’s high time that companies start seeing the chief information security officer position as an independent and strategic role.
Key responsibilities of a CISO in theory
So what exactly constitutes a CISO’s range of tasks? After all, everyone in a company is responsible for protecting confidential data, not just one person or a single department. By definition, CISOs head up their company’s information and IT security. In this strategic position, they develop and implement a comprehensive security concept covering all company departments. This concept will include a vulnerability analysis, performance figures (such as the number of phishing emails and viruses discovered), a security roadmap and risk management methodologies. CISOs are also responsible for training the company’s staff and increasing their awareness in all security-related areas.
From the compliance perspective, it’s easy to see how complex and unique the CISO’s role really is. Depending on the industry a firm is operating in, there are specific compliance rules, regulations or laws that must be adhered to. Another challenge is that these compliance regulations often change – and even more frequently than before due to increasing digitalisation. That clearly also has an impact on the CISO’s workload.
This all sounds good in theory, but in practice companies still place too little importance on it. This was reflected in a 2018 survey by Accenture of 1400 managers around the world. It found that 25 per cent of non-CISO managers are currently responsible for cyber-security. Among the companies with a CISO, only 40 per cent said they talk to business unit managers to understand requirements before they propose a new security strategy. And budget approvals show a similar picture: 27 per cent of the budgets are approved by a company executive and 32 per cent by the CEO. Often, the CISO isn’t even consulted when the company plans or decides on the adoption of new technologies. A Trend Micro study showed that only 38 per cent of the respondents said they’d been asked for their opinion when a new IoT project was on the cards. These figures illustrate how urgent it is that the CISO role evolves and is more tightly integrated into the core of the business.
Rethinking the role of a CISO
For the future, businesses need a firm definition of the CISO’s role and tasks – not only for the job description, but also – and especially – to develop security practices within the company.
An important part of the role is that CISOs are included in all security-related activities, have sovereignty over their own budgets and recognition in the various company departments. More than anyone else, the executive team should be aware of the value and importance of the CISO role and consequently allocate sufficient budget to it. Even though security measures may not have much impact early on, they should definitely not be seen as just another annoying cost factor. Otherwise, company management will have to live with the risk that the responsibility for the company’s increasingly important security remains unclear. And that’s a situation that no company can afford to accept.