What is a CISO? A Sheriff of the Cyber Wild West
If you’ve kept an eye on the world of technology, particularly on the kinds of jobs available there, you may have across titles like CSO and CISO. Since technology jobs are growing left and right, offering above-average earning potential and exciting job perks, senior-level positions are getting some attention.
In the case of CSOs and CISOs, the name of the game is data protection. Breaches in a company’s security were never something to take lightly. But today, the number of people who could download malware to steal, ransom or expose an organization’s secure information is astronomically high. The World Wide Web has become more of a virtual Wild West, and these professionals are tasked with protecting their companies’ precious data from the internet outlaws.
But what does a CSO or a CISO actually do? How do these good guys keep the virtual bandits from breaching sensitive company information? Read on to hear an expert explain who these C-suite tech pros are and why we need them now more than ever.
CSO vs. CISO
Chief security officer (CSO) and chief information security officer (CISO) not only look alike as job titles, but are very often interchangeable, according to Nick Espinosa, CIO of BSSi2.
“These days I see CISO as the primary position advertised, but it can be called CSO, too,” Espinosa says. “Protecting data now means a close harmony between physical security measures (like security cameras) and cyber security.” He adds that some companies might have a CSO overseeing an executive information security manager as well.
He explains that before the age of hacking, an information security (infosec) manager may have budgeted system updates and managed personnel. But things have changed. “Now security is so paramount, larger companies see the need for a dedicated high-end manager,” Espinosa says. “Even one who sits on the board.”
A CISO is especially high priority for companies with a large amount of intellectual property to protect. Sony, Espinosa offers as an example, might not have had a CISO before the infamous and devastating hack of 2014, but you can bet they have one now.
Why have a CISO position?
Security has always been important for any company. But the past decade has brought about a two-fold change in how security works. On the first side, companies rely on computers, VPN networks and information systems constantly, using them not only to function, but to store valuable information. On the other side, cyber warfare has spread and increased in sophistication.
“For a long time, your average small business probably wasn’t much of a target for hackers or criminals,” Espinosa points out. “But now your information could be robbed or ransomed from anyone, anywhere with a few free tools from the dark web.” A small, local venture in Iowa could lose everything to a teenager sitting at a cafe in Finland, in a matter of minutes.
The rise in cyber war and hacking documentation hasn’t hurt either, Espinosa says. When business leaders see massive, catastrophic hacks going down every week, they re-prioritize security. The old security mindset of ‘if it ain’t broke, don’t fix it’ costs big in the cyber Wild West.
“Those are the clients we get post-breach,” Espinosa says. “We have companies as small as ten people sitting behind a $10,000 firewall because they got hit with ransomware and never want to experience that again.”
But the more proactive companies already understand they are out of their depth if they aren’t constantly changing their defense. “I talk to decision-makers and executives of these companies. They see the cyber arms bizarre anyone can access, and they understand the threat,” he adds.
What does a CISO do?
Though it becomes clearer every day that companies should expect attacks and prepare against them, many might be tempted to rely on an existing infosec team to make it happen. But if security is truly a priority, there needs to be an expert in the room when budgeting decisions and even company vision decisions are made.
“As soon as you fall behind, you’re exposed,” Espinosa says. You might think the money you spent last year on a fancy new system is good enough to last for a while, but InfoSec experts know better. “If you give me one version old of a Cisco firewall, I can teach a 3rd grade class to break it,” he says.
The CISO position works to protect the overall vision of a company. The last thing you want as an innovative leader is a public breach that not only costs your company money, but also its reputation.
Another major role of a CISO is to educate. Certain security measures are going to affect all employees. For example, it might take an extra 30 seconds to log on to their computer every day because they have to verify their login. Some may consider this a nuisance, but it’s the CISO’s job to explain how that loss of time compares to the loss of money that could happen from a single breach.
The role is less “in the trenches” than InfoSec specialists tend to be, according to Espinosa. “A CISO is responsible for directing the overall strategy, the systems a company will use and how. The employees then implement it.”
How to advance to a CISO position
If you’re pursuing a degree in technology and love the world of InfoSec, the CISO position is probably the very top rung of your corporate ladder. A CISO needs a unique blend of InfoSec expertise and leadership-related people skills.
“For any C-level role, you have to have strong leadership experience,” Espinosa says. This is true even for the more technologically-minded positions. “You have to marry those InfoSec classes with management and budgeting,” he explains, adding that the opportunities are unique for a highly talented InfoSec expert who has strong people skills and business experience.
Even to rise into general management in infosec, these business skills are necessary. “Take sales courses whenever you can,” Espinosa advises. “It will be part of your job to sell the need for this security.”
Don’t expect to land this prestigious role in your first few years in the industry. You’re going to need a decent amount of experience and a whole lot of knowledge before advancing to this senior-level InfoSec position.
We used real-time job analysis software to examine more than 300 CISO jobs posted over the past year.* The data revealed that 63 percent of employers require candidates to have at least nine years of experience in the field. Even so, it’s always good to know the possibilities you may encounter later on your career path.
One step at a time
When you are at the beginning of your education and career, a position like CISO can feel impossibly out of reach. But the good news is that CISOs are only becoming more common as technology advances, and the InfoSec teams they represent at the leadership level are growing too.
There’s never been a more exciting time in the field of information security. There are criminals, hackers, malware designers, cyber weapon hawkers and outlaws of all kinds out there in the cyber Wild West. We need people who know how to fight that kind of battle and are able to protect and defend property and information.
Want to learn more about some of the positions that could help you gain the valuable experience you’ll need? Check out our article: Information Security Careers: Become the Next Cyber Superhero.
*Burning-Glass.com (analysis of 319 CISO job postings based on experience, Oct. 01, 2015 – Sep. 30, 2016)