Why You Need A Cloud-Savvy CISO — And How To Find One
The growing adoption of cloud-based solutions has brought about dramatic changes in the workforce and the skills we need most to drive business success. For example, companies that leverage cloud solutions usually need fewer IT staff than before because their providers do much of the technical work. On the other hand, they frequently need more people who can analyze business needs and match them to cloud-based solutions — think architects, business analysts and tech-savvy business users.
Perhaps one of the most notable changes we’ve witnessed, however, has been the increased importance of a capable CISO. Cloud computing changes the way organizations store, use and share information and applications, fundamentally altering the nature of cyber risk in every company that uses it — from education and nonprofit to healthcare and financial services to manufacturing and consumer goods firms.
Often, new challenges stem from a lack of cloud knowledge within the organization, which can lead to issues caused by misconfiguration, rogue service usage, access management deficiencies or security strategies that don’t address cloud-specific requirements. Other new risks come from outside the business — tech-savvy attackers seeking to steal data or cause financial damage by exploiting common cloud-based vulnerabilities. As a result, many organizations are pulling their heads out of the sand to proactively address cybersecurity and risk in today’s cloud-friendly environment. They’re looking for capable leaders to raise awareness, create strong cross-functional business/technology partnerships and develop strategies that effectively balance risk with cost.
Looking for a cloud-savvy CISO? Good luck.
Unfortunately, it’s tough to find someone to fill the important shoes of today’s CISO. We’re in the midst of a global cybersecurity skills crisis, according to a recent report published by the Information Systems Security Association (ISSA) and industry analyst firm Enterprise Strategy Group (ESG). This skills gap has impacted about 60% of companies, making it difficult to find, attract and retain cybersecurity talent, particularly when it comes to cloud computing. With a limited candidate pool for senior-level skills and stiff competition, how can you find the right cybersecurity leader for your unique needs? Here are a few tips.
1. Prioritize which skills you need.
Begin by establishing a clear understanding of how cloud factors into the business’s strategic goals. How has the cloud changed your architecture? Will it continue to grow, and in what way? Then consider the business’s tolerance for risk. What’s the potential impact of an incident? What’s the cost of being out of business for a day, a week, a month or forever? Determine which risks the company can live with, which must be actively monitored and how the organization should respond to incidents when they occur.
Then, identify the cybersecurity and risk management skills and experience you need, with a heightened focus on your cloud footprint today and moving forward. Look at your team and be honest about whether you can meet those needs in-house or not. Identify gaps and prioritize which skills and experience are most important to acquire, and then create a clear set of criteria to use during recruitment and when creating training and development plans.
Finally, don’t underestimate the time your business needs from this leader. One of our clients recently discovered that employees were using unapproved cloud-based services they had registered using their company email addresses. Senior leaders must now enforce policy related to the approved list of services and crackdown on employees using those that are considered off-limits. Given the new challenges and increased cyber risk that cloud has introduced from compliance to enforcement, they have their hands full.
2. Make an FTE versus fractional CISO choice.
Cybersecurity should be front-and-center as important business decisions are made, but it can become an afterthought without a strong CISO sitting at the leadership table during strategic discussions. Unfortunately, however, some companies can’t justify hiring a full-time cyber leader and end up creating a shared job function that is diluted by other unrelated responsibilities. Others may be able to establish a full-time role, but they can’t justify its position in the C-suite.
These decisions often come down to financial considerations, which the ISSA and ESG report identifies as the number one reason CISOs leave a company for another opportunity. When deciding whether to hire or outsource your cyber leadership role, keep these challenges and tradeoffs in mind. Define the role clearly and carefully, prepare to compensate the individual who fills it appropriately and do everything possible to elevate the position to the leadership team level.
Additionally, consider engaging a fractional CISO. A fractional CISO is an external partner with deep cross-industry knowledge, a proven track record of executive-level experience and top-notch communication and collaboration capabilities who becomes a trusted member of your leadership team. Unlike a “virtual” CISO, who usually works for a managed service or security provider with its own products and/or services to sell, a fractional CISO (who commonly works for an independent consulting firm) is engaged by you to provide unbiased, vendor-agnostic advice and recommendations. This could be a great choice for many organizations, particularly those that are just beginning to ramp up cloud and cybersecurity efforts.
3. Make cybersecurity and risk leadership a top priority.
We’ve learned through work with our clients and research as part of my master’s program at the University of Massachusetts Dartmouth that management teams increasingly understand the importance of cybersecurity and risk. Many businesses have created formal cyber risk or security teams that they can call on during a crisis. However, not all have taken the leap to hire a skilled, experienced CISO.
If you’re one of them, be clear about the different types of cyber risks your business faces as it relies more heavily on cloud-based solutions. Look for the right leader for your organization, whether that’s a full-time CISO with a spot on the leadership team or a fractional CISO who brings their knowledge and experience to the table in a more adaptable way to meet your unique needs. Finally, make cybersecurity and risk a component in every strategic discussion and decision.
This article was originally posted on Forbes.com