What is the actual value of a CISO?
For some people, it’s hard to understand what keeps them up at night. For you, the CISO, things are much clearer. Your 3:47 am thoughts are filled with data breaches, malware, and uninterested employees.
Information security is quickly becoming known as one of the most intellectually challenging jobs there is – there are no hard and fast rules, and the game is constantly changing. It can be tough to see the payoffs – “wins” and “successes” usually come in the form of not getting hacked and not being sabotaged.
As an aside, it takes a lot more than just being a good technician to be an effective CISO. To win at this job, you’ll need to wear many hats. You must be a leader and an influencer, a responder, and a bridge between innovation and defense. Ultimately, the one responsible for the security of your organization.
But wait there’s more – you need to be well-versed in your industry’s culture, be able to understand and deal with the corporate landscape and manage your team of shining knights under severely tense and compromised circumstances – sort of like a jack of all trades, but you must be a master of all, as well.
And with every hack, every data breach and every compromised employee, it becomes all the more abundantly clear how truly critical your role is, no matter the industry.
Attackers are getting more sophisticated, and laser targeted. Traditional defenses are failing, ransomware is booming. Without the presence of a CISO in the organization, it will be a struggle to manage the complexity of interconnected technical, physical and personal elements that make a complete framework of information security in the organization.
How much is a CISO worth?
Cyber-attacks are a tier one risk to your organization. The response to cybercrime is a business decision. Companies make decisions on how to manage the potential for loss from cybercrime by deciding how much risk they are willing to accept and how much they are willing to spend to reduce that risk. The problem with this is that if companies are unaware of their losses or underestimate their vulnerability, they will underestimate risk.
The key value provided by a CISO is the business leadership role that includes the driving of both information technology and security education. When the CISO does that, the efficacy of information security policies get clearer and the process of moving the workforce to a collaborative engagement toward information security starts. This collaborative effort not only includes the putting of technological solutions on network nodes or employee devices but also includes training and awareness efforts.
The cost of cybercrime and the real quantified value of the CISO these days is skyrocketing as the cost of data breaches continues to rise. The recent Ponemon IBM report reveals that breach costs have grown from $5.4 million in 2013 to $6.53 million in 2015, an increase of 21% in only two years.
According to a recent Symantec report, one in two large businesses are targeted every year – multiple times – with a cyberattack and about one in 40 small businesses are at risk.
Meanwhile, the Ponemon report explains that when cybercrime leads to lost business, the cost increased from a total average cost of $1.33 million in 2014 to $1.57 million in 2015.
Constantly updating and maintaining the best line of defense is a complicated, never-ending task, manifested within a blend that would typically include data encryption and protection, event management, intrusion prevention, and employee awareness building. This requires a high-level executive commitment, expertise and processes.
Correct handling and implementation reduces vulnerabilities, shortens the amount of time threats take to detect, resolves attacks and can save companies millions annually.
You see where I’m going with this? Having a CISO on board is essential.