The challenges to information security in companies are increasing every year. The focus is on serious attacks against small and large companies and the urgent need to protect their own information. It is no longer sufficient to view the protection of corporate information in a one-dimensional way. Many different facets are important: authentication, authorization, governance, policies, processes, monitoring and surveillance, cyber defense and many more.
Putting a company on the right track in the long term requires strategic and technical expertise that is usually managed from the information security area within the company - by the Chief Information Security Officer.
But what skills does a modern CISO need? What should be his or her strengths, what does a company need to look out for if it has this role, or how does a security expert need to develop in order to meet the numerous requirements for this position? Join this session by KuppingerCole CISO, Christopher Schuetze to get answers to these pertinent questions
We will see, we will see this during the presentation, so I'm pretty sure most of you here in the room and online are aware about confidentiality. So it must be ensured that people who have access to and file or undocument really have access to this document. The integrity is an essential part of being sure that data isn't changed, that information isn't changed, and availability is a very important topic as well. So if there is some kind of a tech, if there's some kind of incident that you are able to work. Yesterday we had a great workshop about business resilience management and exactly these topics are there relevant too. But the question is, is does everything a chief information security officer should be able to do? And usually if you start with some new idea, with some new intention, you ask yourself why is confidentiality and integrity not too generic for a modern se? And and that's a good question.
Copy a call did some great survey in the past month. Online we ask our followers what topics are most relevant in your enterprise for you and surprise ransomware business, male compromise attacks on critical infrastructures and malicious insiders are more or less the most important topics. But at the end, challenges organizations have to deal with what are, what are the security issues are all related to communication, collaboration, and sharing information, which means the role of the chief information security officer is really, really relevant here. And I just added the CIA items here on that slide. What is relevant here? So for ransomware, confidentiality is harmed integrity and for sure availability. Business may compromise if someone sends emails in the wrong names or not exactly. The chief executive officer gives false information to people. This is a big threat to your organization where you have to deal with, this is something you need to be aware and at least based on the CIA paradigm, which you may might know from your studies, CIA is relevant here, but that's only half of the truth.
The CSO also have to deal with regulatory requirements. We have so many standards, GDPR requirements and all that stuff. The CSO needs to be aware of that and he needs to ensure that the company is improving their security here, their hygiene, their preparedness, their resilience. Also usually the C is responsible for internal compliance. Translating those stuff from external into concrete, internal descriptions, policies, guidelines, whatever. On the other hand, depending on the type of your organization, software development, you have developers, developers work with data developers, test developers publish this stuff, need to be in the software development monitored as well. And not last but not least, there are so many new types of technologies and paradigms, misinformation, deep fake software as a service, multiple services for sure. Data mining, extracting data from public available data maybe that you can derive confidential data, information, mining, this is everything possible and this is something which is or might be under control of the se. So let's have a look at the specific tasks of a se and what did I do? I just had a look at two job portals and had a look on two job description or two job applications about companies or institutions that are looking for a new chief information security officer.
First of all, that's a little bit small for me by the way. I highlighted two items here for each job description. The first one is they are looking or task for you is the management of the information security department. This sounds really great. Embraces for one employee that's a little bit small for an IT security department, at least in the governmental area here. But the other item or the other task is really cool and essential information security related business processes and risk analysis. And this is important. You need to create transparency obviously. The other job description is talking about assess current security and GRC stance of the company, identify weaknesses, create improvements, and create a roadmap. And this is really important again, transparency. And the fourth point here on the list is awareness. And this is what something that was discussed in the panel this morning too.
You need to train your people. They need to be aware and I don't know who said it but one stated it must be insured to train them frequently, not only 45 minutes once a year. That's not sufficient. It's a process, a living process. People need to be reminded on security every time. That's what I do by the way too. Sometimes I just paste some information in our internal network and say, hey, please take care of this or that situation, especially when traveling to conferences. Okay, so let's summarize a little bit. What does a Cecil do or be able to do? What are his tasks? He creates transparency. Transparency means risk analysis, risk management, business impact analysis and all that stuff.
To create transparency, you need to understand what are your threats. On the other hand, you need to build compliance, you need to create an information security management system. You need to create the policies you need to enforce them. That's the other part. Writing great policies is on is a nice thing, but people need to lift that. They need to understand that therefore you have some capabilities like monitoring internal audits and all that stuff. This is your role. But one of the most important topics or tasks of the CSO is communication and advice was was also discussed in the panel this morning. You need to be the internal one for security, for information security. People need to know if they want to know something about information security, it's the chief information security officer, his team or the specific stakeholders. But they don't need to be afraid of you.
They need to know, oh the chief information security officer can help me. He can enable me to do my everyday business to improve the security and at the end to enable the future of the company. We all know what could happen if you have a really critical incident within your organization, and this is part number four, build resilience based on the risk analysis, based on the business impact analysis, you need to create measures against it. You have something like in risk appetite. This is usually senior management level. They say for instance, 50% of the annual S is the maximum risk we want to tolerate. Tolerate, which is honestly a lot but nevertheless for all the other risks where the senior management is not aware of or you need to make them aware of you need a plan B or a plan C and you need to test your plans.
If you do not test your plans, they are worthless. They are just a written document where you don't know whether it works or not. Again, yesterday we had a workshop about exactly that topic, how to build and improve and run testing environments and stuff. And this is what we do in advisory for our customers as well. So that's the other hand battle mentioned. And last but not least, you need to manage the information security. You need to be the translator between the technical guys and between the senior management. You need to translate to mediate something. Sometimes you need to be able to do something like budgeting, program planning, team managing, pick or create the best out of your team, use your team, enable them and power them. That is really a relevant topic.
That was a bit too fast. So what does this mean based on a skills level? So let's jump back again to the job descriptions on the left hand side, successfully completed university studies, whether it's a master degree in in business, technical background, mathematics, computer science, whatever. And that's important. Practical knowledge of Microsoft products such as Windows operating systems office. Okay. And on the other hand, the other job description experience. Yeah, we all want to have the 25 year old person with 20 years of experience in a comparable role that this is sometimes challenging and maybe for those of you who are interested here, this presentation gives you some insights where can improve yourself. Another requirement would be hands on experience knowing the standards for sure, the ISO 27,000 or N framework called with the stuff, tza, whatever. And again they wrote it down, the ability to create well-structured working roadmaps to building. So building the future security information, security requirements for your organization. That's a task of a C. So let's summarize this a little bit.
We have 100% and I shared it over this for bullet points. Those of you who are mathematical aware, it's on these are only 95%. Yes. On the left hand side I would or experience this, the fundamentals should be you need something like a technical degree under UNI university or a real technical background in system eyes or whatever, which also includes for sure business capabilities. So and CISO is not the technical and it's not a manager, it's it's it's both. He's both. That's the truth experience, yes, it is key. It is important and you need to build this experience. So I have a huge consultancy background, which means I have talked to many different stakeholders and organization and this helps me every day when advising cecils, when doing all internal C stuff because I know different processes and approaches and this is something which is really, really valuable. The understanding of the internal organizational processes, whether they are IT related or from another area, deep technical expertise for sure should be there. A C from my understanding should know the things, but he should not be the expert for Windows server mandatory or for office. It would be great if he's able to use FORTING guidelines in Word, but honestly a C of a bigger company will never touch systems and maintain them soft skills.
Solution oriented working is really something that is mandatory. This chief information security officer is leading the company's information security team. He's the one who decides where security goes or he needs to fight or argue or argument with the board, with the management about budget plans and priorities to improve the security and to improve or improve the resilience of the company. And for that he needs to be, I mentioned that something like a mediator sometimes that's an important part. And leadership, the typical leadership part. A CISO is usually not a technical guy, not only the technical guy and the seller. Maybe he has something like that background that's important. But he needs to lead his team, he needs to enable his people, he needs to be the one who goes out with passion. How important information security, cyber security is for your organization. Maybe doing something like this presentation that is really important and this ensures at the end that's the most important role of the chief information security officer.
The success of the company because if security issues are coming up and the company is not able to run their business, nobody will earn money at the end and the last 5%. Sometimes it helps to have a good and restorative sleep as well. Maybe you know this funny LinkedIn picture with the CEO CIO and the C in the bed where the C is not sleeping in the bed and the others are. I really like that. It's a good example. But here preparation is really key. Okay, so what is the art of becoming a multifaceted at this slide? I really love it's an Analyst and advisor answer. It depends. It really depends on the size of the organization. What I told you is true for almost every organization it would be the 100 percentage fit. But if you are working for a company with 100 people, you are probably not responsible for an IT security team with 20 persons.
If you're working for a company with 5,000 or 50,000 employees, your IT team should be much bigger. And then you, the skills vary more into management and leadership role and this is important, but you as an C, as a chief information security officer can grow in that role. And to summarize this a little bit, and this was also mentioned and I was really happy about it this morning, I think by Ralph you need to be to have the curiosity to learn about new topics and technologies. So at this conference we will also talk about the metaverse state driven attacks and all that stuff. This is something you need to be aware, you need to know about security issues that could harm your organization, your business model in the future you need for sure knowledge around leadership management and financial topics. So in a bigger organization, chief information security officer is responsible for a program.
He's not a project manager. The security information security is a program and that's how you need to run that technical expertise is in IT security. I think a topic we all know, we all have to learn frequently. And this is something we are currently doing here and legal and regulatory requirements are a topic. They change, they evolve. We need to understand the new re the new requirements. And that's a really an important thing. And at the end, understanding how attackers, the people behind the attacks, the people that are using tools to get access to your data, to your organization, to harm you understand how these people work and think and be faster or more expensive than they are. And that's the art of becoming a multifaceted chief information security officer. Thank you.
Thank you Christopher for this presentation. I got one question from the online audience and the question is what do, and you somehow answered it already, but perhaps we reiterate what would small enterprises do? Can they afford to have a season? Or I can do it the other way around. Can they not afford to have a season? Right?
You already answered they cannot afford to not have a C for sure. Depending on the size of your organization, a chief information security officer is a, is not always a full-time role. It should be, but it is not always possible within your organization, but at least you need someone within your organization. And maybe it's with excellent at the beginning, it's better than nothing. Being aware of the risks you have within your organization, maybe you start really with a high level business impact analysis, derive the resources and the related risks to get basic understanding which are your most important resources. And then from that you can start building policies and all that stuff. Yeah,
So bottom line is every organization needs a Caesar, perhaps not a full-time C. Right?
Are there any questions here in the room that doesn't seem to be the case? And thanks again Christopher for your presentation. Perfect,
How can we help you