We live in a world where cybersecurity threats are increasing all the time, both in terms of frequency and sophistication. Attacks have been coming thick and fast this year and are happening on multiple fronts from cyberespionage to ransomware locking companies IT systems for days and weeks. As the bad guys get cleverer, companies are investing massively, which makes the role of the CISO (Chief Information Security Officer) more important and more high-profile than ever.
At the same time, we're seeing companies facing up to security in the wider sense. From the pandemic to this winter's worries about power supplies to geopolitical events, people are becoming increasingly aware of the fact their company needs to address business continuity and operational resilience more than ever before. And in all these situations, answers are always linked to digital.
In the UK and increasingly across Europe and the rest of the world there is also a regulatory requirement for businesses to have operational resilience plans in place- and this has been the catalyst for a change in the way companies think about and organize their security. There is a much wider view of security as a business-critical function with a huge scope.
One common response in the financial world has been to increase the scope of the CISO into a broader function of CSO - Chief Security Officer. The role of the CSO is to look after everything which increases resilience, which combines cybersecurity, physical and employee security, anti-fraud functions and more. All these tasks, which have previously been the responsibilities of many people are being brought under one roof for better consistency and efficiency. Especially as all these topics require to identify critical aspects of the business, work out what they need (in terms of sites, resources, systems and third parties) to function, and how to make all that resilient.
One security team, One security vision
The advantage of this setup is that a CSO has more power, resources and influence with the board than a CISOor the various different security managers which have typically existed before. That makes it easier to make change happen - especially since there's now just one person in charge of everything to do with security.
With everyone who is concerned with security working on the same team for the same boss, it becomes easier to have a more comprehensive, more holistic view of security. For example many companies that have taken the leap now have anticipation teams whose job is to analyze trends and future threats. I'm not sure it would have been possible without a large CSO team. This approach also enables the creation of fusion center, or joint operation center, where all the teams join their forces to better detect fraudsters or criminals trying to attack the company on several fronts simultaneously.
Think first
But before companies live through that change and do what several companies are starting to do, which is promote your CISO to CSO, there are a couple of things you should think about.
The first is that all the different sorts of security, whether we're talking about physical perimeter security, financial security, or information security, are extremely specialist, expert jobs. The new CSO needs to get on top of a lot of information, very fast and should create around him a team of trusted people.
They'll also suddenly be in charge of a huge budget (sometimes in the hundreds of millions of dollars) and a huge team of hundreds or even thousands of people. For people used to managing a relatively small, tight-knit IT security team, that can be quite a shock.
So, my tip for 2023 for anyone thinking about moving to a CSO model is to make sure their CISO is ready to make the shift and is prepared and supported for the shift in mindset and scale their new job will entail. If you put all your security eggs in one basket, you need to make sure that basket is up to the job.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.