Four steps to hiring the best CISO in an IoT world
Of all the new technology processes shaping the next wave of digital transformation, perhaps none is more prominent than the Internet of Things (IoT). As Phil Celestini, senior vice president and chief security and risk officer at Syniverse reports, this technology is spawning a new ecosystem of interconnected networks and data transactions that is rapidly expanding and redefining how we do business.
But what’s often overlooked is that the IoT is also an internet of shared services and data. This fact is one of the biggest challenges for companies looking to integrate their businesses with the IoT, and at the same time ensure that attack vectors and associated risks are addressed. These defences involve various skill sets and teams led by the chief information security officer (CISO).
From a risk perspective, in fact, the public internet was never designed to be a secure environment. It was conceived as a network with built-in redundancy for academics and researchers to share data, not protect access to it. Consequently, it’s more a best-effort network than the best-in-class network needed to ensure the confidentiality, integrity and availability of transactions. Since the IoT’s premise is built upon connectivity, a malevolent attack that compromises this connectivity has the potential to wreak unprecedented havoc. Having the right leadership to drive your information security team’s success in defending against such havoc is crucial.
With this in mind, businesses must strike the right balance between staying secure and leveraging innovation to take advantage of advances like the IoT. A crucial part of this starts with selecting the best CISO, something I did several months ago with great success. Here are four factors I have considered when assessing candidates for the CISO position, based on more than 35 years of experience in high-risk operations and overseeing various facets of security for businesses, the FBI, intelligence community, and military.
4 factors for hiring a CISO
- Security is in the title, but won’t be the only job: Security should be treated as a service that needs to be operated as a business within your business. That means CISOs need to understand their company’s strategy, business objectives and risks to truly provide value. In addition, there are benchmarks, best practices, and regulations that will dictate how information technology and data are to be secured. In this respect, CISOs can provide security and market insights that sales and marketing teams can use to create a strong corporate story about security posture to make your company stand out from the competition.
- CISOs should openly communicate with the C-suite: A culture of security is supported by factors like how an organisation is aligned and how reporting is structured. When it comes to enterprise risk, a CISO should report as directly as possible to the C-suite. There will be differences based on an organisation’s size and maturity, but the closer access to the CEO is, the less “filtered” critical conversations will be. Risk-based decisions that a CISO needs elevated to the C-suite can sometimes be difficult to communicate to senior leaders, because those decisions will affect other stakeholders and rarely happen in a vacuum.
- ‘Security’ has broadened: Twenty years ago, it was common to work in an organisation where “security” meant having someone in IT managing a firewall. But marketplace dynamics and consumer demands have since influenced how businesses operate and driven the need for professional information security staffs. Today, outside factors like regulations, legal requirements, and customer demands drive the need for robust security just to stay in business. CISOs should be armed with this knowledge and the right budget to enable them to define their security strategy in the realistic context of their business’s finances and objectives.
- The best CISOs are the best students: CISOs need to be technically skilled, strong leaders and astute business managers. The CISO role is a journey, and good CISOs must be committed lifelong learners. The industry never stops evolving along with technology, which means threat vectors will continue to become more complex, as will data privacy laws and a host of other external “influencers” on the CISO’s role. This generates a constant need to maintain and refresh knowledge in order to adhere to sound risk-management practices.
The rapid growth of IoT devices and applications dependent on the public internet is opening a new era in connectivity – and vulnerability. As businesses seize the opportunities of this era, they risk leaving commercial data and systems exposed to a public internet never intended for that purpose.
Ultimately, companies that want to conduct business and transfer data with certainty, security and privacy must have a security strategy to protect their operations from the public internet, and a critical part of this strategy involves finding the right CISO. The four factors here offer a useful foundation for informing this process.
About the author
The author is Phil Celestini, senior vice president and chief security and risk officer at Syniverse.