Cybersecurity through the CISO\u2019s eyes: Perspectives on a role<\/a>. These are three of the headline findings.<\/p>\n1.\u00a0\u00a0\u00a0 Organization structures reflect cybersecurity\u2019s importance<\/h2>\n
For evidence of the increasing importance of cybersecurity, look no further than organizational structure. IT and IT security are fast becoming separate departments in many businesses. Nearly a third (29 percent) of IT security leaders say not reporting to IT is the number one change in their role.<\/p>\n
Most think it\u2019s a change for the better. Separation from IT gives cybersecurity experts more independence and room for impartial judgment. However, the teams can\u2019t be completely independent. Some security essentials will stay as IT\u2019s responsibility, like patching, access control and configuring a secure infrastructure. The cybersecurity department also needs to know about all new IT initiatives to assess them in advance.<\/p>\n
Most CISOs say they have a good relationship with IT. Where there is conflict, it tends to be around who has the final say on things like deciding patch management routines, the level of flexibility and access for remote workers, and shutting down computers and servers during a possible breach. IT sometimes sees cybersecurity as a bottleneck because security requirements make it harder to launch new IT projects and maximize system performance. As one head of IT security told us, there\u2019s tension \u201cbetween doing it securely, and just getting it done.\u201d<\/p>\n
What can we learn about organizational structure?<\/h3>\n
For a supportive working environment, choose a structure that suits your business. Consider the level of maturity, budgets for IT and IT security, and the size of the workforce in each. Don\u2019t rush to set up IT security as its own department \u2013 you need to know they can cooperate first.<\/p>\n
It helps to have one executive to whom the heads of IT and IT security report. It could be the CEO or Chief Risk Officer. This person must make sure both teams make necessary compromises.<\/p>\n
2.\u00a0\u00a0\u00a0 Risk assessment needs insight, not just numbers<\/h2>\n
Business today must balance exploring new opportunities and minimizing risk, including cybersecurity risk.<\/p>\n
Throughout their careers, IT security leaders have seen many measures for cybersecurity risk, such as threats blocked and issues patched. Metrics follow the \u2018use numbers, not IT security jargon\u2019 rule of communicating with business departments, but figures and charts alone don\u2019t tell you everything you need to know.<\/p>\n
What can we learn about good risk assessment?<\/h3>\n
To know which cybersecurity risks could affect your business and how likely they are, enrich the numbers with qualitative analysis.<\/p>\n
Involve stakeholders like leaders of finance, sales and marketing in evaluating how identified threats affect the business. Their understanding of the main business objectives, such as to grow digital sales or start collecting more customer data, lets you set security priorities. Company leaders shouldn\u2019t just ask CISOs to calculate cybersecurity risk, but to share their broader business insight.<\/p>\n
3.\u00a0\u00a0\u00a0 Be realistic when hiring<\/h2>\n
Around two thirds (70 percent) of CISOs said people shortages were a problem for them.<\/p>\n
Interestingly, some think it isn\u2019t a shortage of talent making it hard to fill roles, but unrealistic expectations for new hires.<\/p>\n<\/blockquote>\n
When a new hire must start adding value right away, the CISO is tasked with finding a \u2018unicorn\u2019 with a unique skill set, instead of developing internal talent. With all the different technologies and solutions nowadays, few have all the skills and background. Even an experienced specialist needs two to three months to learn the company\u2019s policies, processes and nuances.<\/p>\n
Enterprises are often reluctant to train people with less experience because they may leave for a better-paid job. But there\u2019s no guarantee any skilled professional won\u2019t be offered a more interesting job with a higher salary, whether you\u2019re upskilling internally or hiring externally.<\/p>\n
What can we learn about hiring?<\/h3>\n
Approve \u2018backup\u2019 vacancies in the information security department not related to urgent projects. Make sure newbies are mentored and given more than routine responsibilities like log reviewing. Give them the chance to learn something new and to grow professionally.<\/p>\n
These headline findings distill the wisdom of over 300 CISOs worldwide. Our focus was on how things are changing, but in many ways, they brought us back to basics. Enterprise security depends not only on implemented solutions but on well-tuned internal processes. Success doesn\u2019t wear a \u2018one size fits all\u2019 organization structure. It\u2019s in good communication between departments and in finding the knowledge behind the numbers. It\u2019s in hiring realistically and investing in the people you have today.<\/p>\n
This article was published in February, 2020.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"Things are changing in information security, but probably not in the way you think. Do business leaders know what their Chief Information Security Officer (CISO) is thinking?<\/p>\n","protected":false},"author":2559,"featured_media":32373,"template":"","coauthors":[3678],"class_list":{"0":"post-32372","1":"emagazine","2":"type-emagazine","3":"status-publish","4":"has-post-thumbnail","6":"emagazine-category-enterprise-cybersecurity","7":"emagazine-category-leadership","8":"emagazine-category-scale-your-business-business","9":"emagazine-category-trends","10":"emagazine-tag-professional-advice","11":"emagazine-tag-reports","12":"emagazine-tag-trends"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/secure-futures-magazine\/enterprise-cybersecurity-3-questions\/32372\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/secure-futures-magazine\/enterprise-cybersecurity-3-questions\/21759\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/secure-futures-magazine\/enterprise-cybersecurity-3-questions\/20088\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/secure-futures-magazine\/enterprise-cybersecurity-3-questions\/16368\/"}],"acf":[],"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/emagazine\/32372","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/emagazine"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/emagazine"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2559"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/32373"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=32372"}],"wp:term":[{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/coauthors?post=32372"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}