4 Warning Signs That Your Organisation Needs a CISO

If executives and IT professionals internally have concerns and conflicting views on day to day information security management, it may be important to assess the warning signs.

There are FOUR clear warning signs you need a Chief Information Security Officer -

Warning Sign 1 - Leadership and resource shortcomings.

The organisations current security leader may be part of the business or part or IT but either way lacks formal information security training.There approach is considered ‘best endeavours’ on top of there day to day work and is perceived to be tactical and operational in approach. They spend most of their time on compliance activities (responding to client security due diligence questionnaires, firefighting audit report findings) rather than cyber risk management.

The internal information security service may have a small budget in comparison to their peers in the industry, with very limited resources and skill sets, or the security program of work may not be adequately defined and generally the function lacks established processes and controls.

Questions your C-Suite should ask your acting CISO – What professional training have you had? How do you keep your knowledge up to date? What’s our Security Improvement Programme for this year? What cyber risks are on our risk register?

Warning Sign 2 – You have had a security incident.

An impactful security incident where data is compromised may be a sign of systemic issues, operational failures, and, potentially, an organisational culture that does not value security. Compliance lapses, audit issues, and a lack of metrics and transparency can all be harbingers of potential security problems as well.

Questions your C-Suite should ask your acting CISO – Is our Incident Response Plan clearly documented and all stakeholder trained on it? How many security incidents have we had this month? What was there impact in financial, reputational or regulator terms? What’s our plan to improve our Information Security Culture?

Warning Sign 3 - Inadequate alignment of security with the business.

Business units may view information security as a policeman rather than as a business partner. Acting CISOs and their teams that do not make an effort to understand and partner with the business leaders often become roadblocks to the business achieving its objectives, which leads to employees circumventing the information security team and putting in place the required security measures.

Questions your C-Suite should ask your acting CISO – How are you aligning Information Security to Business Objectives? How are you supporting the business meet its objectives? How are you adding value to the business and our clients?

Warning Sign 4 - Organisational structural issues.

The information security organisational structure may not be well defined or buried several layers down in IT. In a recent survey only 22 percent of organisations the CISO reports in to the CEO, 40 percent report to the CIO. If your acting CISO doesn’t report into someone that sits within the C-Suite then that may answer the question “Why isn’t more progress being made?”.

Questions your C-Suite should ask your acting CISO – Who do you report in to, if not a Board or Executive Committee (ExCo) member? Are you getting the visibility and support that you need to drive down our cyber risk?