How to Resource the CISO

Deep Seshadri
Author: Deepa Seshadri, CISA, CISM
Date Published: 11 January 2023

In an increasingly connected world, the importance of cybersecurity cannot be denied. In fact, I have been quite vocal about the need to have a seat on the board of global enterprises for a cybersecurity leader for a while.

Interestingly, most of the companies that recognize the importance of a dedicated cybersecurity lead have created the position of what we know as the CISO – Chief Information Security Officer. The role of the CISO, as the name suggests, is to ensure that the enterprise’s systems are secure and robust, and can handle any kind of a cybersecurity threat. The CISO is also responsible to put in place protocols that don’t just mitigate the effects of a cyber breach but also predict where the next breach might come from, and identify the measures that can be taken to proactively thwart the threat to not just in-house systems, but also those of the clients and partners who have plugged into the enterprise’s systems.

As you can see, the role of the CISO is not limited to just developing security frameworks for a set of applications developed by the enterprise – it is a much more broad-based role that involves an independent team structure with contributors possessing niche skills. The question is, should the CISO’s organization have dedicated budgets and a separate presence or should the budgets be apportioned from the CIO’s organization? This is a longstanding debate since the role of the CISO came into play. In my view, it depends on the size, threat perception, sensitivity of the information and data, and the probability of vulnerabilities creeping in, in the context of the enterprise’s threat landscape.

Let’s take an example. A supply chain firm serves global manufacturers and has a presence across the globe. It caters to niche players in the luxury apparel industry and its systems are integrated with those of the clients. Now, the team monitoring vehicular movement has excellent supply chain professionals, but their technology aptitude might not be very high. This makes them extremely vulnerable to phishing attacks. It won’t take long for a trojan to make its way to the firm’s servers and, within minutes, it could spread to those of the clients.

The firm and its board had hired a CISO who worked within the scope of the CIO organization, with limited dedicated resources. A cyberattack of this kind could render their entire fleet useless and they could face hefty penalties from clients for being a conduit to a cyberattack on their systems. The board never bothered about giving due importance to cybersecurity, and now, they are in a soup.

You clearly would not want this scenario to play out at your enterprise, would you?

A credible and effective CISO organization requires its own presence as a separate entity within the enterprise, with access to the best skilled workforce and a budget that takes care of not just the security of clients’ deliverables but also other needs of the firm. The board and the leadership must realize that the CISO’s organization does not work like that of the CIO. The CIO’s organization is more about building information systems for people to get their jobs done easily but securing these systems requires professionals with specialized skillsets.

The CISO’s organization is also the first port of call on any cybersecurity vulnerabilities and attacks. They not only fortify the defenses but must also play the part of proactively neutralizing any emerging threats. This also requires liaising with industry bodies, governments and even competitors in the industry.

Would you believe that some organization have the CISO reporting to not the CIO but to the CRO or the CFO? Enterprises across industries must consider cybersecurity as not just a technical aspect of running operations but as a strategic one. That is something boards must carefully consider, with the CISO serving as the custodian of cybersecurity.