Full Text

Not employing a chief information security officer (CISO) may sound foolhardy, but it is not uncommon. Only 49% of companies currently employ a CSO or CISO, according to Cybrary’s 2016 Cyber Security Job Trends Report.

Why is this? The reasons are myriad, from the lackadaisical “it won’t happen to me” business attitude to information security to confusion around the CISO’s purpose, budget constraints and trouble identifying the right candidate.

Unclear KPIs and CIOs carrying out CISO job functions muddy the waters too. However, it’s increasingly clear a CISO is required to prioritize information security and be a strategic enabler for the business.

Is the time right to hire your first CISO?

The most important point companies must understand is why they have made the decision to hire a CISO. Is it because they need someone to build a security infrastructure, to lead security strategy, or have they simply been recommended to do so by the board of directors or audit committee? The who then becomes important, given the different skillsets of CISOs and the wide-ranging salary and leadership expectations.

Joyce Brocaglia, managing director at recruitment firm Alta Associates, recalls hiring Steve Katz as Citi CISO back in 1994, widely believed to be the first role at the time. She says that the type of role - and applicant - has now changed. “Back then we were placing leaders whose focus was very technical in nature. Today, we are replacing those technicians with executives who have a holistic approach to security and risk, can act as enablers, and work with technology leaders in their transformational efforts.”

"Katz himself believes Citi was ahead of its time in understanding the strategic value of security. After suffering an attack at the hands of a Russian group, Katz said this alone "was enough of a wake-up call for the CEO and board that they wanted a head of information security in place at the executive level." He says that most firms are now looking to do the same, largely to adhere to GLBA, FS-ISAC and other regulatory requirements."

Two prime examples of first-time CISOs

Cloud-center-as-a-service firm Serenova hired Stuart Clark as its first-ever CISO in March in a bid to drive further business growth. “We had a security...