What’s a CISO? And Why You Should Have One

  • January 19, 2022

An emerging role in organizational leadership is the CISO or Chief Information Security Officer. In fact, the first CISO was appointed by Citibank in 1995. However, despite the growing threat of cybersecurity attacks, many organizations do not have a CISO. This is especially true for startups that find having a CISO expensive and prohibitive. Instead, many organizations rely on building their security organically, often resulting in various employees handling the task without an accountable person.

According to some security experts, companies often name a CISO after a cyber attack. However, even when they have a CISO in place, they may not report up high enough or have the right budget and staff, making them much less effective when it comes to preventing an attack. The results of an attack caused by not having a CISO or the right CISO are often much more costly than having one in the first place.


What is a CISO?

One of the most important decisions your organization will make is who to hire for your security team and as your CISO. What began as a role mainly for technologists has expanded over the years to be one of a technology executive and business strategist. They are the person responsible for your organization’s cybersecurity and compliance initiatives.

It is common practice for organizations to hire a director of security. This person typically sees to the day-to-day security operations. A company may even name this director, a manager, VP, or analyst, as CISO. CISO is a standard market descriptor; when government or law enforcement agencies need to interact with a person in charge of security, they go to this person. Many companies think that this is enough. But they would be wrong.

A CISO is a leadership role. They interface with directors, other C-level executives, and the company’s board. This is not a secondary role but a key position for an organization. They should have a direct line of communication with the CEO. Most of all, your CISO will set the security vision for your company. A CISO will need to understand security inside and out. They will interact with government and regulatory agencies on security issues. They also need to be able to speak to the CEO about security and risk mitigation and potentially with customers as well, ensuring your products are safe and secure.

When organizations vary in size and structure, identifying the right person becomes more and more complex. CISOs often come from the ranks of security departments. You will also find that many have gone back to graduate school to get an MBA to learn about the nuances of business. As a result, they have the education and experience to report to the CIO or CEO on a regular basis.


Why should you have a CISO?

Based on the scale or structure of your organization, you may still feel you do not need a CISO. Unfortunately, nothing could be further from the truth.

Staying Compliant

Staying compliant is a necessity. Your CISO is your link with the government and law enforcement agencies that enforce compliance and other regulations. They should be aware of the regulatory commitments of your industry and ensure your organization is in compliance. Even more importantly, they should know the local laws that apply to your IT organization, enforce the necessary rules, and implement tools and mechanisms to keep your company or any of its employees from breaking the law.

Internal Security

Beyond staying compliant, your organization will want to do everything in its power to prevent cyberattacks. The CISO oversees the company security training and policies. It is their job to protect your organization from attacks. In addition, they are responsible for the information and company assets’ security.

A CISO is that person who covers your back when you are surfing the internet on your corporate computer by ensuring harmful websites are blocked. They are also the person you will curse when you’re trying to perform some operations within your cloud infrastructure, and you discover you have no administrator privileges. He (or she) protects the Cloud resources and adds security to the SDLC, in the CI/CD pipeline, and more. A CISO may be a huge pain, but you will thank them when a competitor with poor security has been infected with ransomware costing thousands or even millions of dollars.

Security can set your organization and its products apart. Having a CISO isn’t just necessary to satisfying compliance; it is a sound business strategy that will ensure your company’s success, both now and in the future.

If your organization needs help with this role, our CISO-as-a-Service is ready to help.


Written by: Diego Woitasen