A Day in the Life of a CISO – bridging the gap between culture and technology

Recruiting a full-time employee, specifically responsible for cyber security and information security was once a rarity in the mid-markets. However, having someone take primary responsibility for IT security whether they be a CISO, CIO, CTO or IT Director is increasingly important. Smaller organisations might not need to have this position at board level, while larger organisations will have different combinations of the above roles depending on their strategy and focus.

Regardless of the exact job title, the significance of the individual responsible for an organisations security has never been greater. Cyber Security is now such an expansive issue, spanning all aspects of IT and employee culture, that it is easy to fill a working week with tasks. These can range from:

• security governance, policy implementation, and risk management, in keeping with compliance and industry best practices.
• procurement of new solutions
• sign-off on innovations with systems in place to mitigate vulnerabilities
• secure onboarding of suppliers and partners
• proactive audits of the business’s security posture plus maintenance and updates
• building a security-first culture across an often-disparate workforce
• managing everyday vulnerabilities or more amplified challenges such as zero-day threats
• keeping up-to-date with the security landscape and new potential threats and solutions
• ensuring both business continuity and disaster recovery strategies are updated and ready

Without a doubt, one of the greatest driver of businesses recruiting for this role (or perhaps hiring a virtual CISO) is the increasing volume of attacks. Our research tells us that leaders perceive the top cyber security challenges for their business to be ransomware, protecting mobile workers, malware and data theft.

The increased demand for CISOs is also likely linked to organisations broadening their ‘attack surface’ through the high volume of digital transformation taking place across most industries. Whilst those businesses expanding their IT estate and deploying new solutions are reaping the benefits of increased efficiency and productivity, they need clear, actionable security strategies to avoid creating new gateways to their networks for malicious agents.

In addition to this trend, an increase in hybrid working and the fact that such a large percentage of businesses now rely on technology means that most organisations are having to train and upskill their workforce at a tremendous pace. This is to ensure that they reap the rewards of innovative new technologies in the securest possible way. In many instances, this is simply too large a job for the CTO to manage given that the role already leads on all other aspects of an organisation’s IT, and thus the requirement for a CISO arises.

Whilst the role of CISO oversees security solutions, it is incredibly people-orientated. One crucial job for an effective CISO is to form a link between technology teams and non-tech employees to ensure that no gaps in IT deployment or user-training lead to security issues. Another is to form a bridge between demand for innovation and aversion to risk – defining the business’s risk appetite with other business leaders. They then have to carefully map out where the ROI from new technologies peaks and more risk than can be comfortably swallowed by the business as a whole, seeps in.

It’s also the CISO’s role to ensure that other leaders understand and accept the full consequences of any potential breaches from processes and systems which they believe could make their roles easier. Gaining acceptance from peers that a system that could help them to achieve their goals simply does not meet the business’ risk profile is not always easy. A day in the life of a CISO is not, therefore, just the job of a security specialist but an expert negotiator and communicator to boot.

Given the stress levels likely associated with the role, it is unsurprising to note research shows that the most effective CISOs are those who believe stakeholder demands are achievable. They are also those most able to deal well with external stressors. These findings point to the importance of available budgets and cultural buy-in which our research tells us is on the up. More than half of the business leaders we have spoken to say that improving cyber security is an investment priority and the same percentage wish for a hybrid approach to outsourcing and in-house solutions.

It will be interesting to observe as the role evolves, how the most effective CISOs approach business objectives, particularly with regard to balancing proactive and reactive processes, approaching outsourcing Vs in-house, and also the efficacy of virtual CISOs for businesses for which their own hire isn’t the right fit.