CISO Information Security Officer

Versión en Espa?ol

This is a definition that is being handled in terms of this Role, they mention that the CISO is primarily a Director, I think that it should not be just like that, well we really see that it is quickly becoming a key role in almost all "big" companies today”, when I hear this, it gives me the impression that we still have a segregation by medium and small companies, which at the end of the day also have their IT assets, they also require at least one person with the knowledge in cybersecurity to face these challenges, in this way I invite you to open your mind and consider everyone who has digital contact and even when they only use the network of networks, that is enough, in my experience it can expand to a Manager or Head of Information Security, the important thing is that he is a specialist in the field.

What is a CISO?

CISO stands for Chief Information Security Officer (CISO), it is responsible for implementing proper governance and security practices, they are responsible for running a security framework for risk-free and scalable business operations, a chief information security officer, can handle different tasks and job responsibilities according to the hierarchy, the vertical and the organizational regulations.

As hackers become more sophisticated, CISOs have new responsibilities to safeguard their companies' data and security, in addition to technical expertise, they must have business acumen and strong communication skills to inform senior executives and members from the board on cyber risks and best practices.

Over the last 10 years this position has indeed grown in importance, today's companies rely on the CISO to guide them in making some of the most important business decisions, especially when it comes to technology.

In fact, a Gartner report states that as the CISO's role grows, so does their digital business outreach, with 64% of board directors also indicating that their organization is trying to make significant changes in their economic architecture to put more emphasis on digital and 88% also recognize cybersecurity as a business risk.

This is where the CISO comes in and needs to understand the information appetite of the business and adapt to reality while ensuring that cybersecurity is not compromised, this includes getting the board of directors to make the right decisions not only about their plans of scanning, but also how they can do it with minimal disruption and securely.

To better understand what makes a CISO tick, Trellix presented the research :

The Mind of the CISO at the RSA Conference 2023.

The research is based on a survey of global CISOs across all major industries and reveals how they work amid a tumultuous threat landscape, as well as what business functions hold them back and what they need to succeed.

A CISO is motivated by the mission to protect, yet they say they feel unsupported, unheard and invisible, said Bryan Palma, CEO of Trellix at the RSA conference in 2023. “I have been a CISO, and I tell you It can be the loneliest job in tech,” Palma continued, “Now is the time, with AI in the hands of good actors and bad, to revolutionize SecOps strategies and fight back against criminals.”

?????Summarizing:

?????“We need to empower our CISOs to win every time.”

CISO responsibilities

The daily responsibilities of a CISO can vary depending on the position in the organization, they can be distributed in the following functional domain of the organization:

1. Cyber risk and cyber intelligence: Monitor developing security threats and help board members understand potential security issues that could arise from data takeovers
2. Security operations: Real-time analysis of threats and intervention when something goes wrong.
3. Data loss and fraud prevention: Ensure that internal staff do not misuse data.
4. Access and identity management: Ensure that only authorized people can access restricted data and systems.
5. Security architecture: Planning and purchasing security hardware and software and ensuring that the IT and network infrastructure is designed with security best practices.
6. Investigations and forensic analysis: Identification and definition of the cause of the infringement, management with internal parties and planning to avoid a repeat of the same cyber incident.
7. Program Management: Implement security measures that mitigate cyber risks, such as regular system patches, etc.
8. Governance: Ensure that all of the above initiatives run smoothly, receive the necessary funding, and understand the importance of each initiative.

The struggle is real for the CISO

While this is a global report, the research also revealed the biggest pain points in the CISO experience, and as I told you unexpectedly, 100% of CISOs admit they don't have enough support, specifically CISO struggle to win executive board support for the resources needed to keep cybersecurity strong, so more than half think their job would be easier if all employees across the company were more aware of the cybersecurity challenges, how easy, NO?, you have to work to make it that way, that is one of the tasks of the CISO, senior management and the IT area, educate people on cybersecurity, in addition, a third of CISOs cite the lack of qualified talent on their team as a top challenge.

What is more concerning is that a whopping 70% of CISOs have handled a major cybersecurity incident at least once, and 28% more than once, 74% of respondents feel fully or mostly responsible for incidents and 29% experienced high attrition from the security operations team as a direct result.

At the same time, the CISOs surveyed stated that their organizations are working with too many bad solutions, with the average organization user around 28 individual security solutions, 36% also said that a major obstacle is having too many pieces of technology without one single source of truth, CISOs can find the number of security solutions available to them overwhelming, unnecessary, and challenging.

So having the right solutions makes all the difference, for example, 96% agree that having the right tools would save them considerable time, while 40% want access to a single, integrated business tool to optimize investments in security.

As data breaches become more frequent and costly, the demand for IT security professionals will grow with it, so by 2024, the cost of data breaches will grow from $3 trillion per year to more than $5 trillion, reflecting an annual growth rate of 11% on average, this trend can be attributed to increasing fines for data breaches, with increasingly stringent global and regional laws.

?????“Businesses need to invest in IT security as a dedicated function to avoid these costs”

Despite the fact that most CISOs report that cybersecurity is important to their board members, research shows that there is still an apparent lack of support from leadership to keep the company strong.

The importance of having the right technology in place is also self-evident, but what many organizations lack is a unified IT security system that leverages XDR and is constantly evolving to protect against the most sophisticated cyber threats.

?????“While it is important to prevent security breaches, organizations should also have a plan to mitigate these breaches when they occur”

Addressing skills shortages for a more secure future

There are several ways in which companies can work to fill these vacancies on time and with expert professionals, for medium, small and micro companies, here are three tips:

Prioritize skill requirements when writing job descriptions:

Organizations need to take a hard look at the skills required for the job, which ones can be introduced through internal training, which skills overlap with existing roles, and write more specific job descriptions.

Look for candidates beyond IT:

Employers should ask themselves if the position requires a full degree in IT, in some cases it might be possible to hire a high-potential candidate with a strong academic record, albeit in a different field, and then teach them on the job.

Make it easy for workers to enter the cybersecurity talent pipeline:

Organizations can partner with government agencies and academics to remove unnecessary barriers workers face when entering the cybersecurity field.

For example, one of the associations and alliances includes:

Cybersecurity Workforce Alliance (CWA):

An alliance of private companies, government agencies and academics with more than 1000 global members aimed at training young cybersecurity professionals, for example.

?????“Candidates can also do their part to upskill the various IT security roles that will be most in demand in 2023 – 2024, with IT security certifications to address the skills gap.”

There are a host of courses and certifications that can prepare IT talent for the skills shortage and potential employment opportunity ahead in 2023-2024, some of these include:

• EC-Council Certified Information Security Officer (CCISO) for information security executives in the US, Canada, Australia, Puerto Rico, and other countries upon request.
• Certificate in Cybersecurity Analysis (IIBA?- CCA) by the International Institute of Business Analysis , Canada, covering eight competency elements.
• Certified Cloud Security Professional (CCSP) by (ISC) 2 in the US, with offices in China and Japan; Certifications from public cloud providers like Google, AWS, etc. are also worth considering.
• Degrees in Exploit Research, Security Auditing, Web Application Pentesting and more by GIAC in association with (ISC)2 , as well as CompTIA's own certification.
• Any of the certifications listed above, plus more general cybersecurity certifications such as the globally recognized Certified Information Systems Security Professional (CISSP) course.

As the demand for IT security skills grows, companies need to rethink how they recruit and try to fill an opening, for their part, they would have to invest more in training and on-the-job learning, rather than easily acquiring talent available.

?????Threat response needs a new way of thinking,

?????“Don't ignore this key resource”

Cybersecurity Career

Career reinvention can be daunting and intimidating, luckily the field of cybersecurity proves to be a good place for such change.

The cybersecurity industry is an ideal space for reinvention, as it is always looking for innovative perspectives, so it is essential to know all the details before committing, especially when moving into such a critical field of work.

The Effects of a Cyber Skills Gap

A significant skills gap in the cybersecurity industry has created a unique opportunity for people from diverse backgrounds to enter the field, employers are looking for new people who may not necessarily be trained to be cyber defenders, but who have fresh perspectives and the potential to learn, this situation creates a tremendous opportunity for career reinvention, in response to this talent gap, the industry has committed to providing new hires with the resources and support they need to reach their full potential and succeed in a new professional space.

Training people with little or no cybersecurity experience takes a lot of time, dedication, and resources, however, this training should be made a priority because hiring a larger talent pool is mutually beneficial for new hires looking to make a change in career and companies looking to grow.

I hope it helps the new generation of CISO Cybersecurity specialist.

Greetings, your friend,