Today’s Chief Information Security Officer, or CISO, is having a stronger and more strategic role in organizations due to more cyber threats, compliance standards, connected devices and stored data than ever before. However, according to a study done earlier this year by PricewaterhouseCoopers, almost half of average companies today don’t have a C-level security executive in place. Now is the time for organizations to evaluate their risk posture and invest in an information security team that can adopt a strong cybersecurity culture that aligns with their strategic business goals.
The role of the CISO dates back to the mid-nineties when a bank experienced a series of cyberattacks and created the role to have an executive formally oversee information security. Fast-forward to today, 86 percent of companies performing well in security employ a CISO, according to the International Information System Security Certification Consortium. While this formal cybersecurity role can vary, the job functions have evolved with changes in business and technology over time.
At a high-level, the role of a CISO is to lead the information security function in a manner that securely supports strategic mission and business-aligned risk mitigation practices.
As businesses continue to realize the importance of the information security function, CISOs are chartered with ensuring company leadership is aware of existing and future risks, as well as maintaining solid relationships and buy-in for risk-mitigation initiatives. The CISO role has evolved to a mandatory, top-level executive role with a direct or dotted reporting structure to the CEO, president and company board. CISOs are a jack of all trades, responsible for assisting with architecture, compliance/audits, legal/HR, risk management, identity management, operations, governance, sales/marketing, business enablement, project delivery and budgeting. By integrating themselves at all points along the delivery, CISOs and their departments remain enablers of business transformation. It’s not just the CISO that strengthens business relationships, key personnel throughout the information security team form closer relationships with various business units. By doing this, information security teams have the best chance of ensuring requirements are met early and often, while solutions, processes and strategic initiatives are delivered securely and on-time.
Challenges facing CISOs can include resistance to allowing information security involvement throughout business processes, lack of support from leadership and skills shortages that prevent tasks from being carried out. At FNTS, we have found these tactics to be the most effective for CISOs to overcome challenges;
- Utilize business, negotiation and relationship skills to obtain buy-in and support from executive leadership.
- Educate and partner with business units to accomplish tasks instead of regularly enforcing requirements and consequences when the organization falters.
- Track progress through metrics to show how information security has helped enable the business. The metrics should be meaningful and tied back to the business’ strategic initiatives. The more information security is able to show how it enables secure operation and prevents or mitigates business loss, the more it is perceived as a competitive advantage and differentiator.
At FNTS, we have seen the skills shortage affect information security teams in many ways. Numerous organizations want candidates with extremely specific requirements. Not to mention, applicant tracking systems can provide a disservice if they automatically disqualify candidates that would otherwise be valuable staffing additions. The following are steps organizations can take to address skills and staffing shortages:
- Consider training capable individuals if unable to fill a role based on the initial job description.
- Provide remote or flexible work arrangements for candidates located away from the primary work location.
- Create a solid work culture and stay committed to helping current team members advance their skills.
- There are several disciplines within information security, and coupled with the changes in technology, training is continuous and specific to each discipline.
- Attend industry networking opportunities, which can be essential in leading to unique ways to train, educate, recruit and retain staff.
- Seek candidates who clearly communicate how they are qualified for roles. It goes a long way when human resources and hiring managers can connect the role and requirements to relevant past positions or accomplishments listed on a resume, cover letter or social media profile.
About Robert LaMagna-Reiter, Chief Information Security Officer
FNTS Senior Director of Information Security Robert LaMagna-Reiter is a leading, trusted cybersecurity expert who holds several industry certifications. He has knowledge of the latest cyber threats and strategies to mitigate risks. Robert implements information security strategies and roadmaps for FNTS’ clients through risk management; strategy and mitigation tactics; architecture and engineering; regulatory compliance and IT governance; and adherence to policies.
There is no compromise when it comes to security. FNTS offers the security services for organizations that require stringent security standards and industry-compliant regulations. Leveraging more than a decade of industry expertise, Robert is a strategic advisor, consulting with current and prospective clients to achieve security initiatives within their organizations, helping them to understand the value and risk reduction to their enterprise through utilizing the security offerings provided by FNTS. He understands clients’ goals and objectives in an effort to suggest ways FNTS can help them achieve their goals in a cost-effective manner.
Robert regularly speaks about related strategies and tactics at a number of nationwide events and has a network of colleagues who also hold vast expertise in information security. He holds a number of industry certifications including:
- Certified Information Security Systems Professional (CISSP)
- Certified Information Security Manager (CISM)
- Certified HIPAA Professional (CHP)
- Payment Card Industry Professional (PCIP)
Robert’s past experience includes leadership roles in information security for transportation, government communications, retail, e-commerce and managed services industries. He has a Master’s degree in Business Administration and a Bachelor of Science degree in Management Information Systems from the University of Nebraska at Omaha.
Robert enjoys spending time with his wife, family and friends. Rob also enjoys bowling and has achieved a perfect 300 game. Additionally, he was previously a part of the UNO bowling team.
4 Reasons IT Compliance is More Than Just IT Security
It’s easy to get lulled into thinking that just because IT systems are compliant with regulations,...
What the Equifax Breach Taught Us About IT Security Strategy
When technology analysts look back on the Equifax hack, they may well see a turning point in...