Professionals from the cyber security industry have called for clarity regarding the role of chief information security officers (CISOs) to ensure that organisations are able to protect themselves from cyberattacks and put in place robust cybersecurity protocols to mitigate risks.
Incidents of cyberattacks are rising and cost British businesses £17 billion a year, according to research by Cyber Security Connect UK. The organisation found that CISOs are being pulled into job requirements outside their jurisdiction and that there is a lack of transparency about the responsibilities of cybersecurity teams within UK businesses of all sizes. The research has also found a lack of skilled, fully qualified professionals coming into the profession.
Mark Walmsley, the chair of the Cyber Security Connect UK steering committee and CISO at Freshfields Bruckhaus Deringer, said: “It is no longer a case of if a cyberattack will occur but more appropriately, when. In addition, these attacks are increasingly becoming more complex and intelligent. With this in mind, a company’s best defence against such events is a dedicated person to lead the fight against cyberattacks. Not only does this person need to be qualified, they must also be dedicated to the cause, have access to information and budgets that allow them to carry out their job to effect and be able to constantly and consistently upskill to keep up with the fast-paced, ever-changing nature of the cybersecurity landscape.
“While it is true that the varying size, financial situation and purpose of a business may affect the role of the CISO or even the requirement for such a person at all, where they are in operation, clear parameters need to be set. Only with standardisation and guidance can the role be fully effective. As further digitisation of processes occurs and cyberattacks become more sophisticated, this need will only become greater.”
In order for standardisation to be possible, professionals believe a benchmarking process must be carried out to fully understand the scale of variations within the role.
“In order to support CISOs so that they can carry out their roles effectively, a better understanding of their current situation is required,” Walmsley explained.
“This includes comparing the role within different organisations in terms of qualifications, access to the boardroom and budgets, reporting lines and salaries. Only then can we start to put clear and vital guidelines in place to both regulate and create consistencies within the CISO role. The benefit to businesses of doing this could be enormous.”
Further research about the roles of CISOs will be revealed during Cyber Security Connect UK (CSCUK), a conference and industry forum for CISOs taking place in Monaco next month.