A CISO in the Workplace, Part 1: Do You Need a CISO?

Thanks to advancements in technology, planes can fly on autopilot for extended periods of time. Yet, experts and passengers agree: a plane on autopilot still needs a human in the cockpit. Technology is not without fault, and having a person at the wheel to guide the way, respond to unexpected incidents, and course-correct is ideal for smooth traveling. Employing a Chief Information Security Officer (CISO) to oversee an organization’s IT security operations is no different.

Security governance standards, such as ISO 27001, COBIT and the NIST Cybersecurity Framework, require organizations to document and execute information security policies and recommend creating a senior position within the company to oversee and manage them. This individual is accountable for the organization’s security and incident prevention. He or she also maintains C-level communication with executive staff, aligns security initiatives with the enterprise’s goals and objectives, implements asset protection strategies, determines total cost of ownership, and defines a framework around which to build the organization’s security program.

Small businesses that can’t justify the creation of an information security team or a designated CISO can still assign an individual to monitor the effects of implemented policies and procedures and give feedback to executives about any concerns. The larger the company, the more important it is to assemble a dedicated information security team. A CISO will help that team focus on, understand and gain awareness of risks, while assuring employees that the organization’s security processes and “crown jewels” are in good hands.