The chief information security officer (CISO) is the executive responsible for an organization's information and data security.
According to IDG's 2020 Security Priorities Study, 61% of surveyed companies have a CISO, though that rate goes up to 80% for large enterprises.
CISO pain points in Asia
“From my perspective, from what I see, in particular, I think the speed of technology evolution is a real challenge and presents an obstacle to overcome in terms of ensuring that we can secure systems and ensure that we've got appropriate management around data against what is a really quickly evolving backdrop,” he elaborated.
He further opined that the nature of technology evolution, agile development, the need, and the appetite for new features are all put pressure on security by design policies and processes.
“Maintaining that organizational discipline and ensuring that processes are in place to end, making sure that the security elements of that do not fall behind, I think is really, really important,” he added.
He also stressed that the competition for and retention of skilled individuals in a highly competitive job market is a real challenge for everyone now. He acknowledged the wealth of talent in Asia as well as a huge demand across the security landscape. This is the real issue, he called out.
Easing the CISO pain points
Is something being done to ease the CISO’s pain points? Cruxton believes there are several approaches to do so. He stressed that security must be embedded into the software development process – a concept IDC DevOps analyst, Gina Smith, called DevDecOps.
He acknowledged that the bigger pain point around talent retention of the right skills and experience is going to be around for some time.
“There is a big investment at the front end in terms of young people recognizing that technology is an environment they need to work in. But in terms of the strong niche skills, from a security perspective, that's something that we see as being a continuing challenge for us,” he continued.
He cautioned that what is needed is someone with the skills and insights to understand that this is about sensible and pragmatic choices, to allow a business to succeed, while defending and protecting the value of that business, to the, to the best ability that it can and that that's about calibrating risk appetite.
“I think that one of the really important skillsets for a CISO is to be engaged in those discussions and to be able to reach into the board where necessary to help them to calibrate where that appetite might need to sit.”
While a CISO with deep technical knowledge is a huge benefit, as is having experience or qualifications in that environment.
Spreading the risk
Cruxton is not married to the idea of a single person with all the right skills, expertise, and experience. He is concerned this person becomes the single point of failure for the company.
He believes it is more beneficial to “spread out some of the equities that you've got across the business and allowing people to learn from each other as well, which I think is a really important point.”
“Within Callsign, we work really hard at defining responsibilities accountabilities. And as a result, we think that we have clarity about who has the leadership role and the ownership of managing and delivering against critical accountabilities within that. There are opportunities for doing that. But you do need to get yourself organized to do that,” he concluded.
Cruxton commented that there is always that tension between security and the ability of a business to do what it needs to do to be successful and to thrive. “I manage those elements, I also have responsibility for our security risk and compliance functions, business resilience capabilities,” he added as he described his role at Callsign.
Click on the podchat player and listen to Cruxton offer his advice on overcoming the most common CISO pain points in Asia.
- Specific to Asia, what are the top 3 CISO pain points?
- How are these being addressed today?
- Can something be done to improve the outcome?
- To address these pain points, what is the IDEAL COMPLEMENT of expertise needed by the CISO?
- Is reporting to the CIO the best option for the CISO to address his/her functional goals?
- If not CIO, who is the best option?
- Name 3 best practices for a CISO to be effective at his/her role?
- Not all organizations in Asia have a CISO role. When such a role is not around, how should a business delegate the responsibility?