Slowly but surely, the role of cyber security is increasing in importance in industrial and manufacturing organizations of all kinds. One key bit of proof is the growing number of Chief Information Security Officers—CISOs—being appointed to corporate C-Suites. While there was once no professional assigned to cyber security in most organizations, over the years the role had evolved to a management level position such as “Information Security Manager” in many places. Now, we are seeing the role take its rightful place among top executive positions, with a seat at the table alongside the Chief Operating Officer, the Chief Financial Officer, the Chief Executive Officer and other C-Level leaders of the organization.
Surprising to many, it is quite common for the Chief Information Security Officer to come from a non-technical position, such as someone whose career has been in the Legal or Financial areas of the company. This makes sense—many organizations are realizing that cyber security issues, while certainly technical in nature, are most impactful to the financial bottom line or can even thrust the company into legal peril through regulatory or liability issues. So an understanding of these functions on a foundational level is vital. Further, business backgrounds and degrees help CISOs speak the language and communicate effectively with C-Level colleagues and members of the Board.That being said, it also helps if the person selected as CISO at least has strong technical interests or aptitudes. Most certainly, they should be trained in networking and spend a good deal of time on the plant floor learning about what makes the organization run from a technical standpoint.
A good Chief Information Security Officer is hard to find—and even harder to keep. One reason is that an individual with both effective business and technical skills is a rare commodity, and once someone proves their mettle in the position, recruiters will undoubtedly come calling. However, turnover is also high because of some more unfortunate reasons. Sometimes, CISOs seem to be set up as “window dressing” - merely paying lip service to client, industry or Board demands. In these cases, the CISO might not be given the proper authority or budgets matching their position, and the disconnect between the monumental responsibility of maintaining cyber security and the receipt of inadequate organizational support to deliver results can take its toll—not only on the individual, but on the company as well. If you have a CISO, or when you do, don’t fall into this trap. If you create the role, make it count.
The Chief Information Security Officer is a relatively new position, and to the best of my knowledge, there is not yet an official certification or accreditation program for the role. However, there is a fairly robust network of CISOs sharing information, key learnings, experiences and best practices with each other, through various trade organizations as well as through business networking sites such as LinkedIn. Newly minted CISOs should be encouraged to find these sources of professional support. They may also be helpful for finding a CISO, if your organization is ready to evolve in this direction or needs a new one.
What is your organization’s CISO status? Do you have a CISO? Are you searching for one? Is this a new concept to you? We’d like to know.