Enterprise-level companies aren’t legally required to have CISOs – but they should be

Enterprise-level companies aren’t legally required to have CISOs – but they should be

Richard Starnes, Chief Information Security Officer at Six Degrees, underscores the evolution of the CISOs role beyond purely technical domains. Considering heightened cyber-risks and the inevitability of attacks, adapting to modern organisational dynamics is paramount for survival.

Richard Starnes, Chief Information Security Officer at Six Degrees

In an increasingly interconnected world, cybersecurity threats pose significant risks that can severely impact organisations across every sector of the economy. Almost every day, there are new and disturbing headlines about the cost and human impact of cybersecurity breaches, scams and attacks. Yet, it might be surprising to learn that many large enterprises still operate without a dedicated Chief Information Security Officer (CISO) overlooking these risks.

In the UK, large enterprises are defined as having over 250 employees, and while there is a range of laws and standards that govern cybersecurity obligations for today’s businesses to ensure the security and integrity of their networks and data, there is no explicit requirement to employ a CISO – even for large enterprises.

Across the Atlantic, however, the approach is changing, with the US Securities and Exchange Commission (SEC) now requiring public companies to ‘disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy and governance’. For any large enterprise, adhering to these regulations without having a CISO in place now seems like a very unwise and risky approach to adopt. It also seems more than likely that other authorities around the world will follow suit to a greater or lesser extent in the years ahead.

Given the myriad ways in which data risks meet business risks, CISOs now occupy essential advisory positions in optimising strategic planning and response. Today’s complex threat environment also means exclusively leaving cybersecurity to IT departments creates exposure blind spots across the C-suite.

In an environment where cyber-risks constantly evolve, good governance requires the wide-ranging capabilities a CISO delivers so organisations can remain secure, resilient and sustainable for the long run. Their leadership helps connect technological capabilities with broader corporate objectives to realise strategy potential rather than undermine it either through poor implementation or the lack of its effective strategy and oversight.

Key perspectives: Business risk

Beyond the very important and growing regulatory requirements, what tangible value does having a dedicated CISO bring to an organisation? As it turns out, the answer is quite a lot from both business and organisational risk perspectives.

At the most fundamental level, CISOs ensure cyber strategies align with overall corporate goals so security enables rather than hinders business growth. By taking this kind of proactive and strategic approach, they can deliver a wide range of important advantages:

  • Financial protection: Preventing attacks and incidents with robust security minimises potential losses from data breaches, regulatory fines and remediation costs.
  • Compliance: Keeping up with increasingly complex and rapidly evolving compliance requirements is a challenging task. Part of the role of a CISO is to ensure the organisation avoids costly mistakes.
  • Business Continuity: A strong incident response plan combined with Disaster Recovery capabilities and led by an effective CISO lets organisations continue operating securely even when disruptive events occur.
  • Third-party oversight: As businesses interconnect with growing networks of vendors and partners, CISOs work to ensure these relationships do not introduce undue cyber-risk.
  • On-going risk management: Continual assessment and mitigation of information security risks enables leaders to make informed, risk-based decisions that best serve corporate strategy. This works at its best with strong, experienced leadership in place at a senior level.
  • Strategic integration: CISOs also provide the senior security leadership that modern enterprises now require. Representation at C-level also ensures that non-technical business leaders can understand the opportunities and risks they face and ensure security investments support wider business priorities.

Key perspectives: Reputational risk

Beyond the direct financial impacts of a breach, regulatory penalty or both, today’s security incidents can be accompanied by lasting reputational damage and loss of customer trust. In fact, the risks are multifaceted and can include:

  • Brand trust: Cyber incidents often negatively sway public perceptions of brands for years. However, showing a mature approach to security – even after a breach – can help protect and sometimes enhance trust among stakeholders. Without strong and effective security leadership, however, organisations find it much more difficult to minimise the likelihood of security incidents and organise effective response and recovery.
  • Customer confidence: Customers everywhere now consider privacy and cybersecurity reputation when choosing who to entrust with their data, and a CISO-led programme demonstrates a firm commitment to earning this confidence. What’s more, today’s connected consumers are more likely than ever to share their bad experiences online, including when cybersecurity incidents or data breaches impact them personally. In this context, customer confidence is easily lost and both challenging and expensive to restore.
  • Investor relations: With cybersecurity breaches often having a direct impact on bottom-line performance, effective data security – or the lack of it – can influence investment decisions. CISOs help address investor scrutiny by providing strong evidence of cyber-resilience and regulatory compliance.

The point here is that incidents will occur, and given the volume of attacks now taking place, many organisations operate on the basis that it’s not if they will be targeted but how often. However, skilled CISOs understand that a transparent, quick and empathetic response can play a huge role in retaining stakeholder loyalty during difficult times.

In reality, any large organisation operating without a CISO in place exposes itself to substantial financial, operational, reputational and regulatory risks. The business case for investing in a dedicated CISO role has never been stronger, particularly as cyberthreats continue to proliferate in an increasingly complex risk landscape.

Their leadership not only helps protect companies from preventable threats, but it also streamlines compliance, reduces costs, protects revenue streams, maintains business continuity, improves risk visibility across the C-suite and nurtures customer confidence by demonstrating transparent security governance geared toward earning trust.

With extensive skillsets across IT infrastructure, data governance frameworks, risk management practices and regulatory landscapes, today’s CISOs have moved well beyond exclusively technical remits. What’s more, by elevating cybersecurity strategies from isolated silos into integrated programmes that support fundamental operating capabilities, they are becoming indispensable to the way modern organisations operate and succeed.

Browse our latest issue

Intelligent CISO

View Magazine Archive