The ever-increasing digitisation of society has rapidly transformed the masked safecracker armed with a crowbar and stethoscope into a ruthless cyber criminal. Companies are increasingly falling victim to cyber attacks, which means traditional information security strategies are no longer adequate. The call for a specialised, organisation-wide approach has therefore led to a new “C” in the list of CEOs, CIOs, CFOs and COOs, more specifically the CISO.
The CISO (Chief Information Security Officer) plays a crucial role in the development and roll-out of the cyber strategy. The CISO lays down the framework for information security, advises the management, and ensures that the policy is correctly communicated to all employees. Particularly in organisations where digitisation is or has become an important process, the position of the CISO will be all the more important.
What characteristics should this new kid on the block have?
First of all, the CISO must have a thorough knowledge of organisational, social and political developments both within and outside the organisation. The CISO must be able to map the risks that may affect the security of the information, both from outside and from within the company, and must therefore have the necessary technical baggage and good analytical skills.
No matter how well-structured a strategy is, without the top management’s buy-in it won’t happen. It’s crucial that the CISO is able to “sell” the cyber strategy internally to the management. Without awareness, moral and financial support from the top, an information security policy is doomed to fail. The CISO must therefore have the necessary diplomacy and communication skills to convince the management. Providing correct advice and presenting clearly and concisely are key characteristics of a good CISO.
The majority of cyber security leaks are due to human error. The many phishing incidents reported daily to the CCB (Centre for Cyber security Belgium) clearly show that awareness and alertness among ordinary employees is a top priority for the CISO. For this, too, the CISO must have the necessary qualities to convince colleagues in a non-technical way to meticulously follow and implement the cyber guidelines. Diplomacy, judge of character and being able to cope with resistance and misunderstanding are also extremely important here.
Finally, the CISO will ensure the necessary procedures are in place that not only prevent disaster (proactive), but also measure and repair the damage following a cyber attack (reactive). The CISO must therefore be able to ensure that the business, its employees, business processes and equipment are able to continue as normal as soon as possible.