"We aren't even quite sure what the position should be doing for us..." is a quote from a bank executive that I recently had a conversation with. He was describing some of the frustrations he had with his former CISO. He knew the position was important to his organization, he just wasn't sure of the details.
He followed that statement with a question: "how do we avoid having this happen again?"
My response was a set of 6 questions that we worked through together. It's not an exhaustive list, by any means. But it's a good starting point to make sure your executive team puts some thought into how the CISO role fits into your organization.
#1 What do we want from the CISO?
Every organization is different, how does the CISO fit into yours? The CISO is not just an IT function, management needs to understand that it's more of a risk management position. What committee(s) with the CISO sit on or chair? The risk tolerance of the board should also be taken into consideration; trying to mix risk takers with risk averse is like mixing oil and water. Are you an innovative bank or credit union? If so, find a good balance between business and information security functions for the role. Finally, does the job description reflect all of this?
Requirements of the CISO are defined by the FFIEC here:
http://ithandbook.ffiec.gov/it-booklets/management/i-governance/ia-it-governance/ia2-it-management.aspx
#2 Who will they report to?
This is a topic of great debate. Some argue the CEO, others the CRO, CFO, or COO. My suggested requirements are:
1. They have proper independence from IT (so not the CIO)
2. They have proper authority (either on their own or through their direct supervisor)
3. They have a direct line of communication to the board
#3 What resources do they need?
One area of friction that we've seen in some of our clients is the lack of access to raw report data for the CISO. This means direct access to unaltered reports from sources like: antivirus, firewall, IDS/IPS, SIEM, AD, spam filter, phishing testing, vulnerability tests, etc. This can be sacred ground for IT, but they are mandatory for the CISO to perform their job functions properly. Communicate this expectation upfront with IT staff. Follow up regularly to make sure the CISO has access to what they need.
#4 What traits do we want our CISO to have?
A common mistake is to assume a pure IT expert or IT auditor will be a good fit for the CISO position. We've also seen financial institutions underestimate the value of experience in the banking industry. Both can have a negative impact on the position.
We teach the Six Pillars of Knowledge and Expertise for an effective CISO, but this generally translates to:
1. They are a leader
2. They have a firm understanding of IT and cybersecurity
3. They understand the banking industry
4. They tie all those things together to effectively manage risk
#5 What is our budget?
The average salary for a Certified Information Security Manager is $125,000. When you add 34% for benefits, it's over $165,000. The cybersecurity skills shortage is only pushing that number higher each year. If you are looking for a professional who is proficient in the requirements of the job, be prepared to pay at least a 6-figure salary.
#6 Could a virtual CISO be a good fit for us?
When you consider the challenges of finding candidates that fit the requirements for the CISO position, you can see why more and more banks and credit unions are looking to fill the CISO role with an outsourced entity, even FIs several billions in asset size. This can have several benefits:
1. Cost savings of up to 50% vs. a conventional employee
2. The CISO position often doesn't require a full-time workload
3. Access to experienced, certified, professionals
4. Flexibility in the position vs. a conventional employee
[mc4wp_form id="1649"]