Signs You Need a Chief Information Security Officer
Threats to information security and changing banking technologies are leading to innovation within the information technology function. It’s also creating a high demand for experienced information security leaders. The Bureau of Labor Statistics predicts that for information security analysts, jobs are expected to grow 28 percent from 2016 to 2026—four times the average growth rate for all occupations.
Businesses are also looking at how information security can and should be aligned with their operations at the highest level, which has led to a rise in the number of Chief Information Security Officers (CISOs). The CISO function is new territory for many businesses, but it’s important ground to cover. With the current risk landscape, an executive with the right credentials and expertise can help protect your organization’s valuable data.
Why CISOs Matter
Placing an information security specialist in a C suite position ensures that information security decisions align with the organization’s overall strategy, mission, and risk appetite. Managing the information security function is no small matter because information security encompasses a broad range of activities related to the protection of an organization’s data.
There is a risk management function, which monitors for unauthorized external intrusion into networks, viruses, and other disruptive actors. This includes the cyber risk controls as well as the physical protections around access points, including third-party server locations, and user role policies.
Compliance matters to information security as well. Some types of data must have specific protections in place—such as health care or financial information. Clients may also require information security protocols for vendors and third parties using their information. Companies will need to demonstrate that their controls and data protections meets the various requirements, and be prepared to address any legal issues if it’s found that any protection measures are deficient.
CISOs are also involved with technology decisions. There are the systems and infrastructure that support the risk management reporting on an organization’s data. There are also the cybersecurity considerations that need to be considered with the acquisition of new systems or processes. An executive in the information security role can ensure that most of the pressing information security considerations are addressed early in the new technology acquisition process.
Where CISOs Are Needed
Larger companies and organizations that handle large volumes of sensitive information should consider establishing a CISO position if they haven’t done so already. The more complicated the information security infrastructure, the more a company will need someone in an executive position who can oversee its functions and align its objectives to meet the needs of the company.
If your company does not have a designated CISO, it may want to consider whether its competitors have recently put one in place. In the age where cyber attacks are routinely in the news, a CISO can be a marketplace differentiator. A CISO demonstrates to current and potential clients that the company is being proactive in mitigating its information security risks.
If you are a financial company based in New York, a CISO is now a requirement. In March 2017, the New York State Department of Financial Services (DFS) implemented 23 NYCRR 500, generally referred to as the New York Cybersecurity Regulation. Its aim is to encourage financial services firms doing business in the state to minimize their security risks. Item 500.4a of the law requires each organization to designate a qualified individual to serve as the CISO. This person will oversee and implement the cybersecurity program and enforce the cybersecurity policy. The CISO role may be fulfilled by an existing member of your staff, a member of an affiliate organization, or by using a third party service provider.
In a different vein, your company may want to establish a CISO position if there has been a history of problems with unauthorized access to your systems. Data breaches are devastating to an organization’s reputation, and hiring an experienced CISO can help rebuild trust that your organization takes its information security threats seriously.
Qualities to Look for in a CISO
The ideal CISO has a blend of both management and information technology experience. A Master of Business Administration and other advanced degrees are common education qualifications, just as they are with other C suite positions. In addition, CISOs should have one (if not several) information security certifications. Common certifications include Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and the ISACA’s Certifications in Governance of Enterprise IT (CGEIT).
Experience with enterprise-wide internal governance systems will be important. Part of the CISO’s responsibility entails managing threats to information security and adjusting risk mitigation strategies. A strong CISO candidate might also have gone through a data breach recovery process and would know the ins and outs of managing the crisis and notifying affected parties.
If you have a candidate in mind for a CISO who may not have all of the necessary experience (such as an employee currently serving in an information security capacity), consider the role that training or certification courses may play in getting that person up-to-date. Information security is ever-evolving, so ongoing training will be a critical component of your CISO’s success.
Identifying the Right Candidate
By some indicators, the market for CISOs is fairly competitive. Every type and size of organization stands to benefit from high-level information security leadership. Working with an executive recruitment and placement firm may help expedite the process of identifying the right candidate to meet your organizational needs. An external firm may also be able to provide guidance on salary expectations and other compensation arrangements that could make your organization’s position more appealing for potential applicants.
Organizations that are not in a position to bring on a full-time CISO may want to consider a fractional or virtual CISO who can work with them to establish their security maturity baseline. A temporary CISO may be able to develop a roadmap for improving an organization’s security program and reducing its security risks. A fractional/virtual CISO could also be a good placeholder while your organization is growing to where a full-time CISO makes sense.
We know that the rapid changes in regulations, financial reforms, banking technologies and digital information threats create unique challenges for the financial services sector. Feel free to reach out to the author, Chris Roach, with your questions and for additional information. Chris is CBIZ’s National Practice Leader for IT Security and Compliance and a Managing Director in our Risk & Advisory Services group. You can reach him directly at 713.871.1118 and firstname.lastname@example.org.
Copyright © 2019, CBIZ, Inc. All rights reserved. Contents of this publication may not be reproduced without the express written consent of CBIZ. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.
CBIZ MHM is the brand name for CBIZ MHM, LLC, a national professional services company providing tax, financial advisory and consulting services to individuals, tax-exempt organizations and a wide range of publicly-traded and privately-held companies. CBIZ MHM, LLC is a fully owned subsidiary of CBIZ, Inc. (NYSE: CBZ).