CISO Responsibilities and Questions to Ask
August 17, 2017
If you think your organization is safe from major security breaches and can handle a hacking incident, you could be leaving your business wide open to vulnerabilities. Reporting from Bloomberg found that U.S. companies and government agencies suffered 1,093 data breaches in 2016 alone. That figure accounts for a 40% increase from the previous year as reported by the Identity Theft Resource Center.
A data hack can result in millions of dollars in damages ranging from class action lawsuits to a PR response and loss of credibility and revenue. But big corporations like Home Depot, Wendy’s, and Target aren’t the only targets of major hacks. In fact, 70% of attacks target small businesses, and 50% of small businesses have already experienced a hack. This may sound counterintuitive, but there’s a reason for it: experts agree hackers find it easier to target small businesses and can quickly extort their money because so many companies fail to safeguard their data or hire the appropriate security staff like a CISO.
Beefing up the security of your website and networks is a necessity in today’s rapidly changing digital landscape, but do you really need a CISO to protect your business? Walk through these 10 questions with your team to determine if you need a responsible CISO to help safeguard your business.
1. How Much Sensitive Information Do You Engage With and Store?
The amount of information and data you store can help determine if you need a CISO. A business that doesn’t store financial or personal data may be in the clear. For example, a small freelance agency that works off of simple contracts and submits content that isn’t proprietary probably doesn’t need a CISO. Instead, they could rely on third-party vendors and cybersecurity services to protect them. And a business that primarily relies on their website as a marketing tool to attract more business may not need a CISO.
However, a company that handles or stores customers’ credit card information, social security numbers and other sensitive needs a CISO with the responsibility to safeguard their files. At the end of the day, it’s not just about protecting your own information and business. You should be in the business of protecting your customers’ well-being and digital footprint, as well.
2. What Do You Want to Protect?
Once you’ve determined if your business would benefit from a CISO, decide what information you want to protect. Start by identifying the appropriate networks, systems and data. Look at which areas of your business directly engage with sensitive information to help prioritize the process.
It would seem intuitive that any of your networks that interface with financial information should immediately be protected and undergo a security audit. However, it’s not always easy to detect which pieces of your business and digital assets are the most likely to be breached. During the Wanna Cry attack, hackers went through outdated software that had not been updated with a patch to take over systems. A CISO can take a look at all of your systems and assets and use their knowledge of current threats to recommend the best protection.
3. How Much Does Your Team Already Understand About Your Data Risk?
Does your team already have expert IT and security personnel on board who have a deep understanding of your company’s unique data risk? If you have a small business that doesn’t deal with a lot of sensitive data and information, and a true expert on staff, then you probably don’t need a dedicated CISO.
Otherwise, you need a trained expert in your corner with a deep knowledge of data risk and your systems. And it’s not just about knowing what to look for with vulnerable systems and data: the legal compliance and regulations involved are not always obvious even to security experts without a more sophisticated level of knowledge on the matter.
4. What Is Your Incident Response Plan?
With the rise in hacks and data breaches, it’s likely your business will be targeted at some point by hackers. Any incident involving customers, the public or shareholders requires a swift incident response plan that is strong enough to sustain public backlash or going viral.
Figuring out your incident response on the go isn’t wise and could further tarnish your business reputation and see an increase in financial damage. A CISO can help you design your own incident response plan and loop in the appropriate people, from the CEO to a communications team, to ensure the right message reaches the public.
5. Who Will Take Responsibility in a Data Breach?
Even if you have an incident response plan fleshed out, someone in your company will still ultimately be responsible for rolling out the plan. Simply assigning a point person won’t work. You need someone fluent in laws and regulations, best practices, vulnerabilities and how to resolve the breach to stand responsible.
6. Do You Understand the Global Data Protection Regulations?
Your business could face greater responsibilities in data protection as laws and regulations evolve. If you don’t have a firm and fluid understanding of the current regulations, you could find yourself liable for vulnerabilities you weren’t even aware of.
You aren’t alone if you’re not sure how to proceed after a hack from a legal standpoint. A survey by Experian found that most companies are ill-prepared for a global data breach and were not ready to comply with the European Union’s General Data Protection Regulation (GDPR) or didn’t know what to do in a hack. It’s likely your company needs special legal counsel to deal with cybersecurity and breach issues and a CISO who can help collaborate on the process.
7. Does Your Company Need Someone to Bridge Business and IT Gaps?
In the past, many companies just relied on their IT department to handle all of their security issues. However, today’s business interests are more closely aligned with security, and there’s a growing need for CISOs to have a hand in more responsibilities, including law and public relations. The evolving role of a CISO will further bridge the relationship gap between business and IT to make decisions on behalf of both.
Ask yourself who at your company can take on this role and best communicate the needs of your business from both a business and security standpoint.
8. Can You Afford a Data Breach?
There’s good news and bad news about the costs of a data breach. According to IBM, the average cost for each lost or stolen record containing sensitive and confidential information decreased from $158 in 2016 to $141 over the course of a year. However, despite the decline, the study also shows companies are having larger breaches that are affecting more data and records.
The costs of a data breach just scratch the surface of financial damage. The cost of a PR and communications roll-out, loss of revenue from a diminished reputation and investigation costs of the breach all add up. The question then remains – can you afford the all-encompassing effects of a data breach? A CISO may not be able to defend against all associated costs with a breach, but could help to lower the costs by developing a proactive plan to prevent attack and protect your business.
9. What Is Your Budget?
The cost to hire a full-time, on-staff CISO could be outside of your capabilities. According to Mondo, the average salary of a CISO can vary from $140,000 to nearly $300,000 depending on your industry, business and expertise of the CISO. Benefits, perks and associated overhead are also budget factors when hiring a full-time CISO.
However, consider that not having a CISO could drive up the associated costs of a data breach. A qualified CISO can help strategize the security of your company to mitigate the risks. You may not escape some of the financial fallout in a breach, but a CISO’s proactive plan and ongoing monitoring should reduce the threat and catch it before it spirals out of control.
10. Do You Need a CISO on Staff?
You may come to the conclusion that you need a CISO, but don’t have the budget. If finances are ultimately a deal breaker in hiring a full-time CISO, consider the possibility of outsourcing the responsibilities instead. A reputable third party could provide the security services you need to keep your company safe. However, the outsourced CISO should also have deep knowledge of how to handle security regulations, identify your key vulnerabilities and monitor your systems and data to combat against attacks.
While there is no one question that will tell you if you need a CISO on staff, there are plenty of ways to weigh the pros and cons. Walkthrough the answers you gave with your team to determine the best course of action and determine if hiring a CISO is right for your business.
Did you hire a CISO? Tell us about how you ultimately made the decision by leaving a comment below:
