The Secrets of Cybersecurity: is CISO indispensable for companies?
Importance of cybersecurity for companies
In modern economic conditions challenged by the coronavirus pandemic, companies are actively integrating information technologies in their processes. The information has already become a core asset owned by companies and a target for hackers who try to steal data for further sale in the black market. The failure of companies to address digital threats may damage the level of customers’ confidence that, in turn, will lead to the deterioration of their financial performance and lose of competitiveness in the market. The regulatory bodies may impose sanctions against companies that neglect the importance of information security.
Large multinational corporations as well as SMEs are likely to become the victims of cyberattacks. Generally, companies that do not pay enough attention to cybersecurity are likely to suffer from the activities performed by cybercriminals. Whatever the field of business, both SMEs and large enterprises gather large volumes of confidential information not only about their goods, services, and clients but also about customers. For example, hackers are extremely interested in obtaining the credit card information of the company’s customers. Many entities do not even realize the severity and complexity of the existing cybersecurity threats. Only businesses that actively invest resources to ensure their information security have the potential to succeed in the market.
Who is responsible for cybersecurity in modern companies?
Depending on their size, sphere, and nature of the business, companies may appoint different officers responsible for cybersecurity. As a rule, companies appoint a chief information security officer (CISO) to protect them from cyber threats. One of the main functions of a CISO is related to communication with the company’s executives to inform the latter about information security risks. A CISO is responsible for the development of the company’s information security strategy and the performance of this officer is determined by the level of the company’s resistance to cyber threats.
In the modern business environment, the core task of a CISO is to identify the methods of protecting the company’s data from the risk of being stolen by hackers and cyber spies. A CISO also coordinates the work of business managers and IT specialists of the company related to the monitoring of the security of the company’s applications, databases, computers, and web resources from external threats. However, to effectively perform his functions a CISO requires a team of specialists since, apart from the control functions, he is responsible for the development of plans to prevent data theft and forms the company’s cybersecurity budget.
One of the main duties of a CISO is the conduct of regular information security audits. In case the company has experienced a cyber attack, a CISO develops the strategy aimed at overcoming its negative outcomes and recovering the damaged servers. Also, a CISO is responsible for keeping records and reporting on the state of information security in the company. Taking into account the complex nature of tasks and the level of responsibility, only specialists with professional qualification and deep expertise in cybersecurity can fill this post. The average salary of a CISO in the USA ranges between $15,000 – $20,000 per month and the companies from the Fortune 500 list may offer even 2 or 3 times higher salaries to these specialists. When adding to these figures the salaries of CISO’s subordinates then it is possible to conclude that companies spend significant financial resources to ensure the protection of their information assets from cyber attacks.
A chief technology officer (CTO) also plays an important role in protecting a company from cyber threats. It is a managerial position. The main duties of a CTO are related to the selection and assessment of technologies applied by a company to ensure information security. A CTO is responsible for the appointment and training of information security specialists. This officer also controls whether a company obeys the prescribed technological standards and estimates the risks related to the application of new technological solutions to protect a company from cybersecurity risks. The average salary of a CTO in the USA ranges between $18,000 – $20,000 per month.
Overall, the functions of a CTO and a CISO partially overlap. That is why SMEs combine the duties of these officers to mitigate their expenditures. At the same time, large enterprises still rely on the model of information security that provides for the appointment of both a CISO and a CTO.
Are there any alternatives for CISO?
Companies that have significant financial resources employ both a CISO and a CTO to strengthen their cybersecurity. However, even well-known brands fall victim to attacks performed by cybercriminals. At the end of 2020, the company FireEye that is considered one of the leading brands in the field of cybersecurity suffered from the cyberattack. As a result, hackers accessed the Red Team assessment tools used by the company to determine the level of clients’ resistance to digital threats and the information security of its customers including governmental institutions was compromised. The company developed more than 300 measures to deal with the implications of the attack. FireEye fell victim to the cyberattack despite the fact that in August 2020 it invited the CISO of the company PepsiCo to join its board of directors.
In December 2020, the US company Accellion that develops secure cloud file transferring solutions and serves the needs of organizations from all over the world experienced a cyberattack and 100 gigabytes of the confidential information of its clients were stolen by hackers. Hackers exploited zero-day vulnerabilities of the previous versions of the company’s software and, generally, the information security of 50 customers of Accellion was compromised. Accellion also experienced a series of cyberattacks in January 2021. Although the company had a CISO and used a number of specialized programs to address digital threats, it failed to protect customers’ data from theft. Generally, most companies cannot even suggest the presence of vulnerabilities in their systems since they consider the methods applied to ensure their information security as optimal. That is why the testing of network security performed by companies that can imitate the behaviour of hackers is of the greatest importance. For instance, the cybersecurity company Hacken provides to customers network penetration testing services.
It is reasonable to conclude that the presence of a large staff of specialists responsible for information security that are supervised by a CISO does not guarantee companies the ultimate protection against digital threats. Hackers always try to be one step ahead of businesses in terms of cybersecurity and entities often face the situation when the recently issued solutions aimed at strengthening their cybersecurity contain the vulnerabilities that may be exploited by hackers.
In their work, a CISO follows the pre-determined rules that remain unchangeable for many years or are subject only to minor modifications. This situation is common among specialists who work in the same company for a long period of time. The flexibility of these specialists in reacting to modern information security challenges is low. Thus, it is reasonable for businesses to invite companies specializing in cybersecurity to test the state of their information security by performing penetration testing (pentest). These companies cooperate with customers representing different industries and, thereby, deal with various information security threats. Consequently, the companies that specialize in cybersecurity can address a large number of challenges for the information security of their clients by revealing vulnerabilities that have not been detected by a CISO and other information security specialists. Currently, whatever the number of employed responsible managers, there are no companies that can ensure the ultimate security of their information from external threats by applying solely their own resources and expertise. That is why companies should consider the possibility of delegating the functions of a CISO to a CTO. The latter, in turn, would effectively perform these functions by inviting specialized companies to perform pentests. Such companies can perform web application, Android, and iOS penetration testing for customers. The price of pentest ranges between $10,000 and $20,000 and even in case a company orders pentests on a quarterly basis then its expenditures will be much lower compared to the expenditures related to paying salaries to a CISO and his subordinates. By ordering pentests companies can prevent cyberattacks aimed at stealing information and become more resistant to denial of service threats (DDoS attacks). The cybersecurity company Hacken provides this type of services. As a result, companies may maximize the level of their information security while mitigating expenditures on personnel.
Overall, the level of companies’ information security depends on the effectiveness of employees’ work rather than their quantity. At the time when hackers actively commit crimes in the virtual environment, companies should prioritize resistance to digital threats. The employment of additional specialists to this end constitutes an out-of-date solution. Companies may use their financial resources much more efficiently by delegating a part of the functions related to ensuring information security to specialized third-parties. Generally, by ordering regular pentests to determine the level of their information security companies may significantly optimize their personnel budget while becoming more resistant to external cyber risks.