Industry Calls for Standardization of CISO Role
Professionals from the cybersecurity industry have called for clarity regarding the role of Chief Information Security Officers (CISOs).
Research from Cyber Security Connect UK (CSCUK), a forum for cybersecurity professionals, has stated that CISOs are being pulled into job requirements outside their jurisdiction and that there is a lack of transparency about the responsibilities of cybersecurity teams within UK businesses of all sizes.
The research also pointed to a lack of skilled, fully qualified professionals coming into the profession.
Mark Walmsley, the chair of the CSCUK steering committee and CISO at Freshfields Bruckhaus Deringer, said: “It is no longer a case of if a cyber-attack will occur but more appropriately, when. In addition, these attacks are increasingly becoming more complex and intelligent. With this in mind, a company’s best defense against such events is a dedicated person to lead the fight against cyber-attacks."
Not only does this person need to be qualified, Walmsley added, they must also be dedicated to the cause, have access to information and budgets that allow them to carry out their job and be able to constantly and consistently upskill to keep up with the fast-paced, ever-changing nature of the cybersecurity landscape.
“While it is true that the varying size, financial situation and purpose of a business may affect the role of the CISO or even the requirement for such a person at all, where they are in operation, clear parameters need to be set. Only with standardization and guidance can the role be fully effective. As further digitization of processes occurs and cyber-attacks become more sophisticated, this need will become only greater,” Walmsley argued.
According to CSCUK, in order for standardization to be possible, professionals believe a benchmarking process must be carried out to fully understand the scale of variations within the role.
“In order to support CISOs so that they can carry out their roles effectively, a better understanding of their current situation is required,” Walmsley explained. “This includes comparing the role within different organizations in terms of qualifications, access to the boardroom and budgets, reporting lines and salaries.”
Source: Information Security Magazine