“Information security should not be handled as an IT risk, but rather as a strategic business risk,” Igmar Ilves, a cyber security expert at KPMG, says. Therefore, a company should have a person who understands how ensuring information security supports its core business activities – this person is usually the Chief Information Security Officer (CISO).

According to Ilves, the main task of a CISO is to ensure the protection of the company’s valuable data in accordance with information security best practices. “Our experience shows that in many companies, the main problem in ensuring information security is not the lack of relevant rules, but rather the lack of an expert who would have the knowledge and experience to assess the compliance of the rules with information security best practices and the needs of the company. In addition, such an expert should be able to keep the existing rules up-to-date and monitor compliance. Everybody understands that information security rules have not been established just for fun. They are there to ensure the company’s best possible protection in a worst-case scenario, which helps prevent financial and reputational damage,” he explains.

What kinds of organisations need a CISO?

It all depends on the company, its size and its peculiarities. Every company certainly needs someone to deal with information security issues, even if it is at a basic level. A further  issue is whether there is a need to establish a separate position for a CISO in the company.

Small companies are unlikely to need such a position, and they generally lack the resources to recruit a person and maintain their competence. In many companies, the Chief Information Officer (CIO) deals with information security issues.  Although this approach may work, companies should be aware of its potential risks. Firstly, information security is not limited to IT issues but includes other aspects, such as physical security, operational security, staff security, etc. Secondly, the CIO often does not have the time to deal with information security in depth, as IT management activities (e.g. IT development and IT administration) are quite resource-intensive. Furthermore, information security, and more specifically cyber security, is quite a specific area, and the CIO may not have sufficient knowledge of it.

Larger-than-average and very large companies are very likely to need a position of a CISO. First, it is necessary simply because of the size of a company – it has many locations, many customers, a large amount of different kinds of data, its IT solutions are not limited to just a few systems, etc. In this case, it is no longer sufficient if the role of a CISO is performed by someone handling it part-time, on top of their other responsibilities – the risk of not detecting critical security weaknesses in a timely manner is too high.

What can an organisation or a company do immediately to assess its information security posture?

Regardless of whether a company has employed a CISO (or an expert with similar competence), it can still take small but crucial steps to map and strengthen its information security posture, using its own resources and information available from public sources (often even free of charge).

For example, any company could do an information security mapping exercise, a so-called tabletop exercise, today. This means gathering the company’s key employees in a brainstorming session to think of crisis scenarios that would have the most serious consequences for the company and play out the responses to these situations. The exercise is cost-effective, and its purpose is to understand whether and how the company’s existing response plans support the resolution of different crises. For example, you can discuss in detail what the company will do if it is hit by a large-scale ransomware attack or power outage. If the company has signed contracts with IT service providers, the crises can be reviewed together to analyse if and how they support the business continuity of the company’s information systems.

Let us assume that the worst-case scenario materialises and all the company’s connections and information systems crash. Now you can come up with ideas about how long it would theoretically take the company to restore the normal situation. For example, the Chief Information Officer (CIO) might say that, in the worst case, it would take five days to get things back to work. The Chief Financial Officer (CFO) might add that those five days would translate into a loss of approximately X euros to the company. Based on these figures, the company’s management will understand why a particular IT risk is actually a business risk and draw appropriate conclusions. For example, they can confirm the necessity of investing in backup connections.

Such an exercise can also be carried out more professionally, by involving an external information security expert with experience in performing and managing similar exercises. Nevertheless, it is good to know that there is a lot of good material on information security available on the internet, and often completely free of charge.

How can a company or an organisation realise that they need a CISO?

Conducting the aforementioned information security mapping exercise alone does not guarantee that management will see the need for a CISO. Our experience with clients shows that they usually acknowledge the need for this function after they have commissioned a comprehensive, independent information security assessment project (e.g. an IT audit focusing on information security, an IT risk assessment, or a large-scale security testing exercise). During such a project, shortcomings are usually revealed through security weaknesses identified and interviews carried out with staff.

For example, our team often detects a wide range of technical security vulnerabilities while performing network security testing. We do not just focus on analysing individual vulnerabilities but gather all the findings from security testing and try to identify the root cause for their occurrence. We often find that there is no central competent manager who would understand the whole area of information security and be in charge of it.

The need for a CISO may also stem from the need to obtain certain certifications. Although the ISO 27001 standard does not require  a company to create a CISO position, it does require the area to be managed.

To what extent does the role of a CISO overlap with that of a CIO or a CTO? How do they differ?

A Chief Information Officer (CIO) is responsible for the company’s internal IT management (including IT administration and development). A CIO must ensure that information systems are up and running and secure, that necessary developments have been carried out (or planned to be carried out) and that the company’s employees can do their work effectively using their IT tools.

A Chief Technology Officer (CTO) focuses on the company’s growth opportunities in sales and revenue and on delivering the best customer experience through new technologies. To this end, a CTO also focuses on research and development, among other things.

A CISO, however, supports both the CIO and the CTO in their activities ensuring the security of existing and new IT solutions. In an ideal situation, the CIO, the CTO and the CISO work together as a team towards a common goal of delivering the best, most innovative and secure services possible to their company’s customers, thereby enhancing the company’s reputation and increasing its profits.

Could the tasks of a CISO be assigned to several people?

This approach can work in theory as long as the responsibilities of a CISO are not divided between too many people. At the same time, it should be mentioned that, in practice, people are often unable to dedicate sufficient time to additional tasks. There may be several reasons: the lack of time, competence, commitment (which may depend on the priorities of the company’s management), or a combination of these. As a rule, the tasks of a CISO require certain expertise and are usually time-consuming. Therefore, it is quite risky to assign these tasks to someone as an additional job.

It would certainly be inappropriate to assign the duties of a CISO to persons who lack sufficient competence or to someone in a position that potentially conflicts with the tasks of a CISO (such as involving a potential conflict of interest). It is quite certain that it is only a matter of time before it becomes apparent that a person in a more senior position is unable to perform adequately the tasks of a CISO.

Moreover, it is worth preventing potential conflicts of interest from the outset. For example, it is the responsibility of a CIO to ensure that IT solutions are implemented securely. At the same time, it should be the job of a CISO to verify impartially the security of the IT solutions against an agreed set of requirements. Now, it is quite obvious that if a CIO also performs the tasks of a CISO, an impartial verification of the security of the IT solutions implemented by the same person is simply impossible.

How much has the role of a CISO changed over time? Have IT speak and business speak come closer together?

Information security does not exist for its own sake, but it is one of the cornerstones of a company’s business. Information security ensures that business-critical information (business secrets, customer data, etc.) is protected by optimal measures, which helps prevent financial and reputational damage to the company. This, in turn, ensures the company's viability and its employees' well-being in a long-term perspective.

Therefore, a CISO needs to have a clear understanding of the company’s business, which helps them see what information needs to be protected and to what extent. Ideally, a CISO should report to the management board, acting as a direct source of information on information security issues. Such a relationship of subordination ensures that cyber security receives adequate attention and resources in the company and facilitates the decision-making to improve the information security posture.

It is important to remember that while a CISO is responsible for a company's information security, the ultimate responsibility for overall security (including information security) always rests with the company’s management.

Does a CISO mainly manage people, or can an employee in this role also work independently?

They certainly cannot do this job alone – communicating with and guiding people is essential. The very fact that a CISO is in charge of the area of information security means that the instructions and orders they issue have an impact on the entire company.

An answer to the question of whether the job of a CISO is more about managing people or working alone is that it is both. Generally, it is not a task of a CISO to configure IT systems based on information security best practices. This is done by dedicated experts to whom a CISO can give relevant guidance and instructions. Still, a CISO must make sure that these configurations are, indeed, in line with information security best practices. Hence, a competent CISO must check this personally, which means that they should have a sufficient level of technical knowledge. There are certainly some tasks that a CISO can do mostly on their own, but it depends on the specificities of a particular company.

To sum up, from an information security perspective, a CISO must manage people and processes, but there are also some tasks that they can do alone.

To what extent is information security management a service that can be outsourced?

More and more companies are opting for CISO as a Service (CISOaaS) – this has become a common trend in Western Europe and the United States. The main objective is to save time and money while maintaining the high quality of a CISO’s services.

Companies may have different reasons for needing a CISO. Some may have a critical business reason for quickly recruiting the missing competence. For example, a new potential customer may request that the company have the ISO 27001 certificate, and, therefore, they need a competent CISO who would be able to manage the implementation of the certificate. However, a good CISO is very hard to find. The person needs to understand information security best practices (including technical details), be able to communicate with people (including explaining to non-technical people potential risks stemming from technical security vulnerabilities to the company’s business), be able to manage people, etc. On top of it, a CISO needs to maintain their competence continuously, which requires additional resources from the company. In addition, the whole recruitment process (including interactions with candidates) takes up a lot of valuable time.

KPMG, however, offers the opportunity to use a CISO as a service to the exact extent a company needs. Suppose a company needs to implement the ISO 27001 certificate or the Estonian information security standard (E-ITS). In this case, they can purchase a CISO's services only to implement the standard. KPMG experts will come to the client’s office, and agree with them on the objectives of their engagement, its time frame and, based on these, the corresponding workload (how many hours the experts will contribute within the agreed time frame). Then the work can start. The client will have a main contact person (i.e. a CISO), but we can agree that the client can use all the experts in our team (including web application and network security testers, digital forensics experts, people with software development backgrounds, etc.).

It is important to note that each solution has pros and cons, and so does hiring a CISO on a permanent basis versus buying the competence as a service. Therefore, before making a decision, it is important to analyse your company's needs to find the best solution.

So this means that when you ‘rent’ a CISO, you can also use expertise from other areas, does it not?

Indeed, if necessary, it is also possible to use experts from other fields within the framework of the service, which certainly gives the client considerable additional value. It is important to note that, although KPMG’s team has 20 people, it is only the main contact person who attends the company’s management meetings where strategic business issues (including business secrets) are discussed. This way, we can ensure that only a very limited number of people have access to business secrets, which strengthens our relationship of trust with the client. In case specific additional competencies (e.g., in digital forensics) are needed, the KPMG’s contact person will introduce a colleague who will be involved temporarily and contribute to the project with their expertise.

Is there anything that the outsourced information security management service does not include but that is sometimes expected?

In fact, CISO as a service means that we perform the functions of a CISO in a company. If a company decides to create the position of a CISO, it will also need to draft a job description, which requires an understanding of a CISO’s role in the organisation. The job description must therefore be drawn up based on the company’s needs. An approach that works for one company may not work for another. The same is true for CISO as a service – although we have developed a certain approach to providing this service, we do not cling to it rigidly. We can always restructure our service as needed in agreement with the client.

What the service does not typically include, for example, is penetration testing. I recently saw a job advertisement where a company was looking for a CISO and a penetration tester in one person. Finding someone who can perform both jobs excellently and maintain competence in both roles over time is extremely difficult. However, as I mentioned before, we can always reach an agreement with the client within the framework of KPMG’s CISO as a service arrangement and involve additional experts, including penetration testers, if necessary.

Could purchasing this service be an intermediate step towards hiring your own CISO?

This is actually a fairly common practice. Indeed, the usual approach is that many organisations (especially large ones) want to have this competence in-house at some point, but they use us to build the foundation for it. Once a company has obtained relevant certificates, implemented security measures based on best practice, set up training programmes for its employees, etc., we may be able to reduce the workload of our CISO in the company from a full-time position to a half- or a quarter-time job.

Later on, the company can calculate how much it benefits from the service and the value we provide and whether hiring a dedicated employee to work in-house would be more reasonable.

So your main contribution is developing an information security policy and getting the system up and running?

As previously mentioned, we are primarily there to fill the position of a CISO. This means that we carry out all activities typically associated with the tasks of a CISO, including developing and updating an information security policy and other related policies, guidelines, rules and procedures. However, the functions of a CISO involve much more than just developing policies. A CISO is usually also responsible for managing the resolution of information security incidents, selecting and managing the implementation of IT-specific security measures, preparing risk assessments from an information security perspective, raising information security awareness of staff, arranging penetration testing, selecting and implementing physical security measures, etc. If a company wants us to carry out some tasks that a CISO does not typically perform, we can discuss them and agree on the details.

All in all, the issues that a CISO deals with are important for any company to varying degrees. The recognition of the need for a CISO, what is expected of a CISO, and the corresponding information security objectives must be decided by the company’s management, who also bears the ultimate responsibility for the company’s information security. In this context, it is the company’s management that has to make the decision whether to hire a CISO or purchase the capability as a service.

________________________________________________________________________

Who is a CISO, what does a CISO do, what is CISO as a Service (CISOaaS)?

* A Chief Information Security Officer (CISO) is responsible for managing an organisation's information security. The main task of a CISO is to ensure that the three information security objectives – availability, integrity and confidentiality – are met.

* To ensure that these objectives are met, a CISO consistently manages the implementation of technical and organisational safeguards and organises the monitoring of their effectiveness within the company, making sure that the measures applied comply with information security best practices in the context of changing circumstances.

* In addition to IT security, a CISO must ensure the physical protection of the company’s assets (ranging from the construction of perimeter fences to the secure storage of important paper documents), map information security risks that could have a significant impact on the company’s core business activities, and establish a systematic approach to information security within the organisation through appropriate policies and processes.

* A CISO that has the best overview of the current state of security of the company’s most valuable data and information assets is an essential link between the organisation’s management, the CIO, the security manager, other important managers as well as the technical staff.