This white paper discusses the challenges of hiring the right Chief Information Security Officer (CISO) and provides recommendations to improve the hiring process. It notes that the CISO role is still evolving and most executives do not fully understand the role's responsibilities. It recommends that companies clarify the CISO role by making cybersecurity a board-level priority, assessing current security strengths and weaknesses, and evaluating organizational security culture to identify needed CISO skills. Taking these steps will help companies define CISO job requirements and find candidates best suited to their specific cybersecurity needs.
White paper cyber risk appetite defining and understanding risk in the moder...balejandre
Managing risk is a balancing act for organizations of all sizes and disciplines. While some organizations take on too much risk, others arguably do not take on enough. Complicating this equation is the emergence of cyber as one of the most impactful sources of risk in the modern enterprise
To Be Great Enterprise Risk Managers, CISOs Need to Be Great CollaboratorsElizabeth Dimit
Blog post discussing why CISOs need to collaborate with privacy, legal, and product teams to effectively identify and mitigate risk in their organization.
White paper cyber risk appetite defining and understanding risk in the moder...balejandre
Managing risk is a balancing act for organizations of all sizes and disciplines. While some organizations take on too much risk, others arguably do not take on enough. Complicating this equation is the emergence of cyber as one of the most impactful sources of risk in the modern enterprise
To Be Great Enterprise Risk Managers, CISOs Need to Be Great CollaboratorsElizabeth Dimit
Blog post discussing why CISOs need to collaborate with privacy, legal, and product teams to effectively identify and mitigate risk in their organization.
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldEMC
The new RSA Security Brief highlights that basic security lapses still contribute to most security incidents. The report identifies top areas for improvement and provides practical guidance on measures that deliver the greatest impact on organizations' ability to respond to cyber attacks and data breaches.
About RSA Security Brief :
RSA Security Briefs provide security leaders and risk management executives with essential guidance on today's most pressing information security threats and opportunities. Each Brief is created by a select team of experts who connect experiences across organizations to share specialized knowledge on a critical security topic. Offering both big-picture insight and practical technology guidance, RSA Security Briefs are vital reading for today's forward-thinking security and risk management practitioners.
Read More via
Summary: To have positive authority upon Information Security is one of the goals every organization should achieve. A CISO (Chief Information Security Officer) is the responsible person in the company who should protect the business from the IT infrastructure. CISO will lead a security professional team which will take care of all the security components within an IT infrastructure.
Presenter: This week’s presenter will be our partner Mr. Daniel Robles, President of Cyborg Consulting, a company involved with Information and Cyber Security consulting, training, auditing and coaching. He is an experienced trainer and consultant with more than 20 professional certificates gained from credible institutions.
Estudio de Russell Reynolds Associates sobre ciberseguridad que explora la importancia de la relación entre el Chief Information Security Officer y el Consejo de Administración.
What is Cyber Security
What is Cyber Threat and Threat Landscape
Is Cybersecurity an IT Problem? It’s a human Problem
Role of a CFO
Well accepted Cybersecurity Frameworks and common Themes
SOC (Service Organization Control) and SOC for Cybersecurity
Recommended risk mitigation strategies for the weakest links of the Cybersecurity chain
Key Takeaways
Best Practices
In January-February 2016, the EIU, surveyed 1,100 senior executives on data security practices within their firms. The survey’s primary objective was to analyse the differences, if any, between the C-suite and senior IT executives on data security.
The survey sample was recruited from companies with between $500 million and $10 billion in revenues, and is equally representative of the Americas, Asia-Pacific and European regions. The panel came from 20 industries, with no single industry accounting for more than 14% of the total.
This was a survey of senior executives. The C-suite segment, sometimes referred to herein as senior management or corporate leadership, consisted exclusively of C-suite executives (eg CEOs, CFO, COOs). The security segment, sometimes referred to herein as the security executives, consisted of the CIO and those who identified themselves as Chief Data Officers or Chief Information Security Officers (CISOs).
Each panel was asked an identical set of 20 questions, and the results have been reviewed for insight and commentary by a panel of independent experts.
A review of the "lessons learned" in establishing a CISO/CSO role in two different organizations. The things that security folks DON\'T tell you...
Cyber-criminals are assaulting every part of the enterprise. But not all cyber-attacks are created equal. In the minds of senior executives, the greatest danger of cyber-attacks is damage to the reputation of the firm with its customers.
Sans 20 CSC: Connecting Security to the Business MissionTripwire
You know the old break-up line, “it’s not you, it’s me….”? As a CISO, what if when you get your few minutes to discuss security with the C-suite, board of directors or mission leadership, it really turns out to be you not them who failed in the communication?
Lack of success in communicating with your C-suite could lead to a breakup sooner or later. I’ve had hundreds of conversations with and about CISOs communicating – - on topics ranging from security breach information, status, performance metrics, risk, visualizations, or overall security posture with their executive leadership.
And largely, it turns out to be no surprise that communicating security information is incredibly difficult, especially with non-technical, disinterested, or time-constrained C-suite executives.
Success with SANS
The initial UMASS Security Program was based on the ISO/IEC 27002 controls framework, then starting in 2011, the SANS 20 CSC were added. Today’s program includes both. The ISO controls focus on program management, compliance and process from an IT auditor’s perspective, while the SANS controls focus on technology means they are better aligned with IT operations.
Prior to 2011, Wilson was having difficulty communicating with executive management (CIOs and others) – it was difficult to translate the purchase and implementation issues surrounding firewalls, anti-virus, and vulnerability scanning into easily familiar business terms and concepts relevant to management and process.
However, when he ditched trying to explain the ISO/IEC 27002 security controls framework in favor of using the SANS 20 CSC, he was able to communicate much more effectively with his C-suite for the first time in a way they could absorb and support.
In addition, he and his team have been able to map out a measurable and actionable security program based on SANS that he regularly succeeds in communicating to his executive team.
Managing Cyber Risk: Are Companies Safeguarding Their Assets?EMC
This white paper summarizes the results of a survey done by RSA, NYSE Governance Series, and Corporate Board Member, in association with Ernst & Young, with 200 audit committee members responding on a variety of issues regarding their cyber risk oversight program.
The Next Great Challenge for CISOs
I am honored to be recognized! Cybersecurity is truly a team effort at a strategic level, either we all work together or the threats will tear us down piecemeal! Every person, no matter their role, can play an important part in making digital technology trustworthy and keeping the Internet secure, private, and safe.
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...Accenture Technology
Business theft and fraud have morphed into significant new threats as companies battle well-funded, highly motivated digital adversaries. Cyber defense rules have clearly changed.
Executive leaders must recognize how exposed their organizations are today and take steps to establish a holistic, end-to-end security strategy capable of protecting their most valuable assets and business operations.
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldEMC
The new RSA Security Brief highlights that basic security lapses still contribute to most security incidents. The report identifies top areas for improvement and provides practical guidance on measures that deliver the greatest impact on organizations' ability to respond to cyber attacks and data breaches.
About RSA Security Brief :
RSA Security Briefs provide security leaders and risk management executives with essential guidance on today's most pressing information security threats and opportunities. Each Brief is created by a select team of experts who connect experiences across organizations to share specialized knowledge on a critical security topic. Offering both big-picture insight and practical technology guidance, RSA Security Briefs are vital reading for today's forward-thinking security and risk management practitioners.
Read More via
Summary: To have positive authority upon Information Security is one of the goals every organization should achieve. A CISO (Chief Information Security Officer) is the responsible person in the company who should protect the business from the IT infrastructure. CISO will lead a security professional team which will take care of all the security components within an IT infrastructure.
Presenter: This week’s presenter will be our partner Mr. Daniel Robles, President of Cyborg Consulting, a company involved with Information and Cyber Security consulting, training, auditing and coaching. He is an experienced trainer and consultant with more than 20 professional certificates gained from credible institutions.
Estudio de Russell Reynolds Associates sobre ciberseguridad que explora la importancia de la relación entre el Chief Information Security Officer y el Consejo de Administración.
What is Cyber Security
What is Cyber Threat and Threat Landscape
Is Cybersecurity an IT Problem? It’s a human Problem
Role of a CFO
Well accepted Cybersecurity Frameworks and common Themes
SOC (Service Organization Control) and SOC for Cybersecurity
Recommended risk mitigation strategies for the weakest links of the Cybersecurity chain
Key Takeaways
Best Practices
In January-February 2016, the EIU, surveyed 1,100 senior executives on data security practices within their firms. The survey’s primary objective was to analyse the differences, if any, between the C-suite and senior IT executives on data security.
The survey sample was recruited from companies with between $500 million and $10 billion in revenues, and is equally representative of the Americas, Asia-Pacific and European regions. The panel came from 20 industries, with no single industry accounting for more than 14% of the total.
This was a survey of senior executives. The C-suite segment, sometimes referred to herein as senior management or corporate leadership, consisted exclusively of C-suite executives (eg CEOs, CFO, COOs). The security segment, sometimes referred to herein as the security executives, consisted of the CIO and those who identified themselves as Chief Data Officers or Chief Information Security Officers (CISOs).
Each panel was asked an identical set of 20 questions, and the results have been reviewed for insight and commentary by a panel of independent experts.
A review of the "lessons learned" in establishing a CISO/CSO role in two different organizations. The things that security folks DON\'T tell you...
Cyber-criminals are assaulting every part of the enterprise. But not all cyber-attacks are created equal. In the minds of senior executives, the greatest danger of cyber-attacks is damage to the reputation of the firm with its customers.
Sans 20 CSC: Connecting Security to the Business MissionTripwire
You know the old break-up line, “it’s not you, it’s me….”? As a CISO, what if when you get your few minutes to discuss security with the C-suite, board of directors or mission leadership, it really turns out to be you not them who failed in the communication?
Lack of success in communicating with your C-suite could lead to a breakup sooner or later. I’ve had hundreds of conversations with and about CISOs communicating – - on topics ranging from security breach information, status, performance metrics, risk, visualizations, or overall security posture with their executive leadership.
And largely, it turns out to be no surprise that communicating security information is incredibly difficult, especially with non-technical, disinterested, or time-constrained C-suite executives.
Success with SANS
The initial UMASS Security Program was based on the ISO/IEC 27002 controls framework, then starting in 2011, the SANS 20 CSC were added. Today’s program includes both. The ISO controls focus on program management, compliance and process from an IT auditor’s perspective, while the SANS controls focus on technology means they are better aligned with IT operations.
Prior to 2011, Wilson was having difficulty communicating with executive management (CIOs and others) – it was difficult to translate the purchase and implementation issues surrounding firewalls, anti-virus, and vulnerability scanning into easily familiar business terms and concepts relevant to management and process.
However, when he ditched trying to explain the ISO/IEC 27002 security controls framework in favor of using the SANS 20 CSC, he was able to communicate much more effectively with his C-suite for the first time in a way they could absorb and support.
In addition, he and his team have been able to map out a measurable and actionable security program based on SANS that he regularly succeeds in communicating to his executive team.
Managing Cyber Risk: Are Companies Safeguarding Their Assets?EMC
This white paper summarizes the results of a survey done by RSA, NYSE Governance Series, and Corporate Board Member, in association with Ernst & Young, with 200 audit committee members responding on a variety of issues regarding their cyber risk oversight program.
The Next Great Challenge for CISOs
I am honored to be recognized! Cybersecurity is truly a team effort at a strategic level, either we all work together or the threats will tear us down piecemeal! Every person, no matter their role, can play an important part in making digital technology trustworthy and keeping the Internet secure, private, and safe.
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...Accenture Technology
Business theft and fraud have morphed into significant new threats as companies battle well-funded, highly motivated digital adversaries. Cyber defense rules have clearly changed.
Executive leaders must recognize how exposed their organizations are today and take steps to establish a holistic, end-to-end security strategy capable of protecting their most valuable assets and business operations.
Russell Reynolds Associates aborda cinco cuestiones de liderazgo en materia de ciberseguridad que los Consejos de Administración y los ejecutivos deben preguntarse. Estas cuestiones abarcan diversos aspectos, desde el nivel de preparación del Consejo hasta la gestión del talento para proteger el negocio de una forma integral.
A successful Chief Information Security Officer (CISO) must wear multiple hats. CISOs are accountable for risk management, data protection, and security infrastructure oversight. But that’s not all: a successful CISO must also possess specific traits that distinguish them from other industry leaders.
Booz Allen's U.S. Commercial Leader and Executive Vice President, Bill Phelps, recently released his list of 10 Cyber Priorities for Boards of Directors. As we peer into how business, technology, regulatory, and cyber threat realities are evolving in the coming year, here is a reference guide for board members to use in validating their company's cybersecurity approach.
For Corporate Boards, a Cyber Security Top 10David X Martin
Corporate boards of directors have a fiduciary duty to understand and oversee cyber security. For most effective oversight, boards should approach cyber security from a good management-practices perspective rather than a technical perspective.
BIZGrowth Strategies - Cybersecurity Special EditionCBIZ, Inc.
Cyberattacks are becoming more frequent and sophisticated, making a recovery from them increasingly difficult. Without preparation, a cyberattack can be devastating to your business, having severe operational, financial, legal and reputational implications.
The prevalence of cyber breaches also means cybersecurity is no longer solely an IT concern. Elevating your information security from functional to effective takes a robust set of elements, processes and people working together toward a common goal.
Our professionals have developed these articles and resources to help you protect your organization from these attacks.
What CIOs Need To Tell Their Boards About Cyber SecurityKaryl Scott
Companies are under increasing risks of breaches, theft of intellectual property and erosion of customer trust. CIOs and CISOs need to be able to explain to executive management what's being done to shore up their company's security strategy and defenses.
What CIOs Need To Tell Their Boards About Cyber Security
CISO_Paper_Oct27_2015
1. A SHEFFIELD HAWORTH WHITE PAPER
Why Hiring the Right CISO
is so Hard
And What You Can Do About It
ERIK MATSON,
Managing Director, Global Head of Insurance & Cyber Security Practices
matson@sheffieldhaworth.com | +1 (646) 597-7410
SCOTT SMITH,
Managing Director, Technology, Operations & Cyber Security Practices
ssmith@sheffieldhaworth.com | +1 (646) 597-7411
JOHN BUDRISS,
Executive Director, Technology, Data Science & Cyber Security Practices
budriss@sheffieldhaworth.com | +1 (646) 597-7431
2. With the brand and billions of dollars on the line, cyber
security has moved to the front burner for boards and
CEOs of financial services firms. One of their most critical
decisions? Choosing the right Chief Information Security
Officer (CISO). Here’s how to take the uncertainty out of
the decision.
The headlines bring word almost daily of major cyber-attacks. The weapons
grow more sophisticated while the vulnerabilities grow more numerous.
Today’s attackers include not only global super-criminals looking for financial
gain but also state sponsored groups intent on stealing intellectual property
and other strategic assets. For financial services firms, the stakes are high and
getting higher: potential business disruption, the compromising of customer
information, regulatory backlash, damage to the brand, and possible
destabilizing of the tightly interconnected global financial system itself.
www.sheffieldhaworth.com
2
Introduction
3. www.sheffieldhaworth.com
3
AShotin
theDark?Given the threats, it’s no surprise that demand for
outstanding CISOs far outstrips supply. But beyond
the challenge posed by short supply lurks an even
bigger hiring challenge: knowing how to choose the
right person for the job. Here’s why it’s so difficult:
The CISO role is relatively new and its definition
remains a moving target. As cyber-weapons grow
more sophisticated and the dangers greater, the
CISO role continues to evolve. In addition to technical
expertise, today’s CISOs must also have:
Gravitas and presence to influence people across
the firm
Change management skills to keep the organization
ahead of the bad guys
Superior relationship-building skills to work with
otherfirms,cloudservicesproviders,lawenforcement,
government, and cyber security associations and
watchdogs
The difficulty in defining the role is reflected in the
many different reporting structures in which it is
embedded. In some firms, the CISO reports directly
to the CEO or the board. In others, the CISO reports
to the COO, CIO, Chief Risk Officer, or Chief Security
Officer. In organizations that have been slow to adapt
to today’s new realities, the role hasn’t been separated
from the role of CIO, who must wear both hats.
Most hiring executives, including CEOs, lack a full
grasp of what is required in the CISO role. Do you
know what a zero day attack is? APTs? Metamorphic
malware? Polymorphic malware? All of these cyber
weapons have figured in successful attacks. Most
executives have no way of knowing whether a CISO
candidate has the experience to deal with them or
with all of the other ever changing and unknown
threats that could bring a company to its knees.
Should you look for a longtime corporate cyber
security professional? An IT generalist? A cyber
security consultant? Someone with a military or
intelligence background? Add these questions to
the challenge of defining the role and the difficulties
of this already difficult hiring decision multiply
exponentially.
Financial services firms are reluctant to share
information about cybersecurity. Some information
sharing does occur. The Financial Services Information
Sharing and Analysis Center (FS-ISAC), for example,
provides a central resource for cyber and physical
threat intelligence analysis and sharing. Nevertheless,
firms are understandably reluctant to admit that their
security has been breached, because it tarnishes the
brand. They also hesitate to share effective defense
strategies, because they regard them as a competitive
advantage. As a result, no uniform set of best practices
has emerged against which you could measure a
candidate’s knowledge and qualifications.
Many financial services firms don’t have a handle on
their security culture or needs. Is information security
second nature to employees at every level of your
organization? Or do many of them fail to follow even
the most basic security policies? Do various functions
work collaboratively with the information security
function or do they regard it as a nuisance or necessary
evil? Do top executives agree about the issues of
cybersecurity and how to address them?
Consider the discord and confusion Pricewater-
houseCoopers unearthed in its “2014 US State of
Cybercrime Survey.” Participants were asked what
the greatest obstacles were to improving their orga-
nization’s information security. CEOs identified lack
of capital funding. CFOs indicated a lack of leadership
from the CEO. CIOs and security executives cited a
lack of actionable vision or understanding within the
organization.
Why Hiring the Right CISO is so Hard ... And What You Can Do About It
4. www.sheffieldhaworth.com
4
Clarifying
theRole
andthe
Hiring
Decision.To overcome those considerable challenges, you must
bring the CISO role and your firm’s specific needs into
sharper focus. How? By taking these critical steps to
set the context for cybersecurity in your organization:
Make cyber security a board-level concern. Few
board responsibilities are as important as oversight
of risk management, especially for financial services
firms. If cyber security and its risks aren’t already of
prime concern to your board, they should be. The
board should not only treat it as regular agenda item
but hear regularly from the CISO.
The board’s role helps clarify the role of the CISO.
Directors must make sure that management is
addressing cyber security adequately and within
the bounds of risk tolerance the board has established.
The CISO is therefore no mere technician, but a
critical resource for the board, helping it understand
cyber risks in general and in the context of business
actions the firm is weighing. Candidates for the role
should therefore have business acumen as well as
security expertise.
Determine where you currently stand. Identify
your crown jewels: your most valuable information
assets, from customer and employee information to
intellectual property. Then conduct a no-holds-barred
exercise designed to expose your vulnerabilities. (The
exercise might be facilitated by third-party cyber
security experts, including certified ethical hackers).
Immediately—not months later—follow the exercise
with a candid review. Such exercises can be eye opening.
You may discover hitherto unknown weaknesses and,
in some cases, exceptional strength.
If security is notably weak, consider CISO candidates
who have experience turning around similarly weak
organizations. If your security is exceptionally strong,
you should seek a CISO who can keep you on the
cutting edge. The types of vulnerabilities that you
uncover can also figure in the CISO job profile. For
example, if you find that the greatest danger lies with
cloud services providers or other vendors, your CISO
should have experience with supplier management
and contracts.
Assess your security culture. The carelessness—
and sometimes the malevolence—of employees
can be the greatest threat to cyber security. How
do employees throughout your organization treat
security? What kind of security culture do their
actions, along with policies and processes, add up to?
If it’s a lax culture, where security is sometimes treated
lightly, your CISO will need change management and
influencing skills to fix it. If it’s a strong security culture,
you have the luxury of seeking a CISO who can focus
on more pressing vulnerabilities.
Engaging the board, determining where you currently
stand, and assessing the security culture across your
enterprise are large undertakings. But with so much
at stake, few firms can afford to do less. Talent will
continue to be scarce and threats will continue to
multiply. Firms that know precisely what they need
will waste less time looking in the wrong places and,
ultimately, better prepare themselves to fend off
ever more sophisticated attacks, protect their most
valuable assets, and win the enduring confidence of
customers and investors.
Why Hiring the Right CISO is so Hard ... And What You Can Do About It