If you keep an eye out on the latest infosec news, you’re most likely aware of the talk around CISOs and the gap organizations have in filling the position. One of the most recent articles to discuss this painful reality made some valid points that actually say even more about organizations and the importance they give security.
The article, Why CISO is the hardest tech role to fill, on CIO.com talks about how hard it is to hire a CISO due to the lack of finding one with a good mix of business and technical skills; but as you keep reading it goes on to mention budget and other areas that are keeping organizations from hiring.
One of the challenges is that organizations don’t have a way to measure a CISO’s performance because while the CIO gets judged based on KPIs such as cost savings and/or lack of breaches, the CISO’s KPIs are unclear.
Expanding on this premise, it’s safe to say (from our standpoint as a security company) that a CISO’s KPIs accompany those of the CIO if they are working side-by-side, as they should be, to strengthen the data security program in place.
The real problem is realizing the need for the CIO to have a right hand, a support; someone they can count on to help them put into practice policy and procedures, to keep an eye out on identifying false positives and essentially splitting the leg work that is required to actually continuously monitor an organization’s network, employee device usage and updates for security technology.
Expecting one person to do all the monitoring, updating, and staying in the loop on newly developed hacker techniques, is unrealistic. So, the fact that organizations are still unclear on the value a CISO brings to the table is surprising because it only makes sense that an area such as risk management employs much more than one professional in the organization to do it all.
This brings us to the second point the article makes, which is that organizations under-invest in cybersecurity. Although companies like to say they are addressing cybersecurity, it is widely known (thanks to industry studies) that this is not the case. Just last week we discussed a recent study by the Ponemon Institute, which found little difference in healthcare data security six years following their first study on the topic. This six-year timeframe is only six years because they weren’t tracking anything before then; can you imagine if we had tracked 10 or 15 years back?
Businesses are always looking into areas where they can save money and they aren’t making an exception with their security department. When you factor in that they can’t measure a CISO’s ROI with numbers they deem worthy, is it any surprise that they aren’t hiring CISOs or investing in them the way they should be?
The reality is that business executives have yet to grasp the big picture when it comes to information security, which is that it is part of the business process and something that will keep them in business or put them out of business (when there’s a lack of it). Budgets are tight for any organization and investing wisely is a must, but by cutting corners on data security the risks are far greater than any CEO imagines; that is, until breach strikes, then they’ll know (but at that point it might be too late).
Getting the ball rolling on a cost-effective, yet complete information security program isn’t as hard as it sounds when you talk to someone who knows what security risks and vulnerabilities to look for, while understanding the reality of having a budget to work around. Companies like ours are here to help inform you of your options.
Give us a call so that you don’t have to wait for breach to make security a priority.
Photo Courtesy of Maksim Kabakou