10 Must-Haves in a Chief Information Security Officer (CISO)

With last month's announcement that the White House plans to hire its first chief information security officer (CISO), cybersecurity continues to be a major concern and national agenda priority. According to Security Magazine, the pending appointment is "part of a larger cybersecurity defense plan that will also include a $3.1 billion fund to replace outdated IT infrastructure; a commission to study cybersecurity problems, and a program to recruit cybersecurity experts into government roles." 

And while the stakes may be a bit higher at the White House, the Oval Office isn't the only place where highly-skilled cybersecurity talent is needed. Small- and medium-sized business offices all over struggle to recruit, hire and retain security experts, and the need is great. The Symantec 2015 Internet Security Threat Report, Volume 20 found that "60 percent of all targeted attacks struck small-and medium-sized organizations" last year. As MSPs, you have a duty to the companies you protect to fulfill the duties of a chief information officer (CIO) and CISO. What all does this entail? 

How to Become the CISO Your Clients Need:

1. Translate existing control framework recommendations into customized controls to build a comprehensive, in-depth defense for the organization.

2. Understand the industry in which your clients' company is operating, and the specific threats that need to be defended against. Casting a wide net is not optimal, either for security or for cost efficiency. This kind of approach is expensive, and you might miss minute details and vulnerabilities that lead to considerable data compromise. 

3. Practice agility in risk management and communicate those risks to senior management, selecting the right mitigation and countermeasures. 

4. Coach and develop those who directly report to you, other members of your organization and appropriate employees at your clients' sites.

5. Learn the culture of the company, and try to implement changes to correct behaviors that may put clients' data at risk.

6. Act as advisor to both senior management and other cross-functional groups within the enterprise.

7. Act independently. The CISO position is an independent function, and should not be influenced by leaders of IT and other members of senior management. 

8. Hire and train the right people for the security function.

9. Sell a security strategy that's embraced by all members of the organization. 

10. Be diplomatic and have the ability to diffuse conflicting situations. This is especially beneficial when executives have to compete for budgets and limited resouces. A CISO must posess this leadership to enact security initiatives and ensure they're implemented companywide. 


If you want to be stickier with clients, provide the cybersecurity insight they so desperately need. Be their virtual CIO and CISO. Lay the foundation for a healthy IT environment, creating complete, responsive and disaster-proof policies, processes and procedures. Then continue to reassess your clients' networks, managing and remediating any issues or vulnerabilities that you identify. Most importantly, you're only as strong as your weakest link. Whatever security framework you do establish, verify that it is properly enforced and receives buy-in from all employees at your clients' sites. Become intimately familiar with all of the intricacies of your clients' individual networks, be they in physical or operational parameters. Then, once they begin to view you as a strategic partner, rather than just another vendor, you'll unlock new opportunities to win more lucrative business, all while strengthening your bond with those clients.


More posts for the CISO in all of you:


BLOG Webinar Why Do SMBs Outsource IT Security to MSPs