Page 33 - index
P. 33
Having a CISO on board will greatly lower the risk of an attack, but often comes at a hefty price.
After all, they bear a heavy burden of security for your business, and their services are becoming in-
demand in today's wired and technology-driven commercial enterprises.
Most companies simply don't have the budget for a full-time CISO. So, one option is to hire
someone to fill in the role on a part-time basis and share some of the responsibilities with an in-
house CIO or IT team.
Another option is to get the services a virtual CISO, which is basically a third-party supplier that
provides an IT consulting service.
2. There are no clear delineation of roles within the organization.
It is often the case that CIO's and board members will pay lip service, adding more financial and
resource muscle to protecting their information, but in reality, not that much is allocated toward
tighter security.
In Canada, for example, the average organization spends only about 6-10% on cybersecurity,
according to a recent IDC survey. This is the typical scenario in most businesses, and there's often
a conflict of interest in cases where a CISO's agenda is not in line the CIO's agenda to whom the
former reports to.
Decision makers within a company might prioritize keeping costs down or introducing infrastructure
changes, while a CISO might halt operations or slow things down in the name of cybersecurity.
When there's a CISO in charge of cyber security—whether in a part-time or full-time virtual capacity,
these lines are clearly delineated, and their role in ensuring security is the only message they'll
communicate to the decision makers. There will be no lumping of budgets to other IT needs, and
the need for adequate online security will be given a voice within the organization.
3. Too much reliance on tools, not enough process training.
Businesses with bigger budgets will often invest in numerous anti-malware tools, but having all the
bells and whistles in place is seldom enough.
Take the case of Target, a recent victim of an information breach that resulted in millions of dollars
in liabilities. They were not remiss in installing cyber security tools that will detect malware - the
invested $1.6 million on malware detection alone - and yet did not stop them from being viciously
attacked online. The reason? Those in charge of looking after these warning chose to ignore them.
The people who were supposed to put a plan into place when an indication of this magnitude should
occur simply did not know what to do. There was no clear-cut process for them to follow.
Having a CISO accountable for these steps will ensure that the tools installed will be coupled by
people who know how to use it correctly, and respond immediately to an imminent attack.
33 Cyber Warnings E-Magazine – October 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
