Exploring the CISO role – especially for the SMB

For the un-initiated, CISO is Chief Information Security Officer. Information Security is now hyped as CyberSecurity, and will soon become IOTSecurity, Cloud Security etc. The risk is real though and help is needed to identify and setup the Security function.

This is a series of articles for helping the CEO / COO/ CFO/ Owner of the company. At times, the four roles are played by the same person and at times, the roles are shared among the founders/ owners. This is moot. More critical is for the roles to have the necessary knowledge to identify a CISO and help him/ her move into the role. This series is going to aim for that.

How does this work? This works in the regular bonding manner – relationships, norming, forming, bonding :: you know the drill.

There is however, a very key difference between this role and other management roles.

The CISO role is always a DOTTED LINE ROLE. What this means is that the CISO does not have people reporting to him/ her, however, is accountable for any leak in security that happens across the organization. The obvious reaction when such a breach happens is “We spent so much, hired such a high profile / high skilled/ high cost (take your pick) and we still got breached! Now my CISO says that we need 4 weeks to investigate. Really, Come on…” and so on. This is a typical reaction; not that I am saying this is not correct. I feel it is very fair that Owners and Management feel this way. My point here is that the feeling needs to come right at the start when you look to hire the CISO. These questions should be asked at that time and seek the various answers that are there. Only when you are prepared, you can get to the next level.

Finding what we want as owners (yes, i am also a founder and owner and can relate to your thoughts), is always tough. We need to think about money, priorities, threats to business, cash flow etc. This is where a fast emerging model is the outsourced CISO. GREAT, so now I dont need to have a headcount, and dump everything on the outsourced person/ company (yes, both models are available) however, DO THINK AGAIN. Have we really got the answers we are seeking. Not really, NO – we dont have the answers. Because as usual, we have not tried to treat the disease and only tried to get the person temporarily cured…

So what then should we be doing?

There are various actions we can take…

  • Identify and Define your strategy towards Digital. Yes you are right, we need to know what is our strategy in going digital? Digital is a huge transformation and the journey is likely a 2 – 3 year one. We need to build strategy for the Digital Transformation with Security built into the design. Going Digital is the need, not a luxury contemplation anymore.
  • Set our expectations. Security is not absolute. You cannot be ever sure that I will spend x OR spend 200x and I am secure… No No and No you are still not secure. And hence you need a plan to detect and act on potential/ visible threats. Like a response plan.
  • Build measurement metrics. Use KPIs and build a story. E.g. After implementing x solution, is my threat detection time reduced by 30% / 50%/ 80%? We need to know this and accordingly put process around this.
  • Breathe and live Security Governance. Enabling Governance as a company is one of the hardest to do. The general thought process is that we will slow down the company. We are small, SMB, startup and we need to be agile. Please do not confuse agile with no-process-required. Process and controls can be put in to make the company more flexible and agile and need not slow down the growth. Used correctly, it can enhance the growth. I have seen consultants write 200 pages of security policies and then another 800 pages of security procedures. These dont work. We can enable all of this via workflows and have very tight policies and procedures – the minimum required to govern. And this is something you should demand from whoever is helping you with setting up governance.
  • Use Open source technologies. There is everything available with very low cost of commercials and also freeware. Embrace this and use it wisely. Open source is now becoming more and more structured and much more user friendly.
  • Check that your security officer (either in-sourced OR out-sourced) and the company to whom you outsourced to has worked with Enterprises and Startups/ SMB. It is important that they understand the difference and also appreciate this.

Next article, we will explore the starting steps. Going Digital and likely Risks you will encounter when you go digital.

Till then, stay safe and if you need emergency response/ help, shout out to

Sameer.anja@arrka.com

https://www.linkedin.com/in/sameer-anja-8127851/

twitter: @sameeranja