ARTICLE | January 4, 2023 | 5 MIN READ
It’s a dangerous world. You need the right team in place to protect your network
By Chris Morrison, Workflow contributor
Cybersecurity has never been a more vital business issue. While the growth of cybercrime has been noted for years—in 2021 alone, one study found intrusions increased 50 percent from the year prior—trends like work-from-home, migration to cloud, and geopolitical instability have led to a qualitative spike in risk.
Weak cybersecurity can cost a business plenty. While the average cost of a breach across all company sizes and industries was $4.35 million in 2022, the largest breaches averaged $387 million when taking into account detection, response, regulatory costs, and lost business, according to a report by IBM. So it’s increasingly imperative that companies approach their cybersecurity organizational structure deliberately.
Yet doing so has become increasingly complex.
The challenge goes beyond the highly publicized cybersecurity talent shortage. It begins at the top, with the chief information security officer (CISO). Some companies still don’t have this role; those that do range in how they establish its reporting structure and responsibilities, each trying different approaches based on their varied and changing attack surfaces.
In short, there is no one-size-fits-all structure to a cybersecurity organization. But several models that have emerged from the most-attacked industries point the way to one that communicates and acts effectively across all business levels. Here are the key roles for a strong cybersecurity operation built to keep an organization secure.
The first-ever CISO, Steve Katz, was hired by Citicorp in 1995 after the bank was the target of significant cyberattacks. Katz reported to the CTO. But as the role evolved, a debate emerged in the cybersecurity industry about whether the CISO should instead report to the CEO to signal its importance and dispel notions that cybersecurity was merely a subset of IT.
Today, that debate has become more nuanced. Many security experts believe that CISOs work best when closely tied to IT. As a result, most CISOs report to a CTO or CIO. At the same time, CISOs have also gained board-level visibility.
A 2021 survey of CISOs by executive search firm Heidrick & Struggles found that 90 percent present directly to the board or its audit committee.
This ability to take security issues directly to the top could soon become law for large companies—the Securities and Exchange Commission recently proposed a new rule that would require reporting on how corporate boards oversee their cybersecurity risk.
The CISO role is also widely acknowledged as being difficult to hire for, which is why some firms have begun adapting the position to individual candidates. For instance, someone with significant cybersecurity chops but less direct experience in a business vertical could still get hired and receive support to supplement the domains where they are weak.
“The org chart and the way the CISO’s function is structured should depend, to a degree, on the individual,” says William Beer, the North East financial services security lead for Accenture. But it’s a risky proposition, given the high turnover among CISOs. “You could argue that if the average tenure of a CISO is 18 months, that could mean a lot of organizational change as you swap in CISOs. But I’m hoping the general trend of the life of a CISO is expanding.”
The shortage of well-rounded CISOs has a mirrored problem: the growing complexity and responsibility of the role. Some companies are responding to this by splitting up the job’s responsibilities to other roles.
The CISO survey also found a growing divide between the everything CISO—who holds responsibility across the areas of risk, security, and trust—and specialist CISOs who focus on just one area. Specialist CISOs can help address leading areas of concern, like the cloud, and fit well within various security operating models.
Complex industries may also create specialized roles that are adjacent to the CISO such as the business information security officer, or BISO, whose role is to understand and defend a specific business unit. “The CISO’s remit is very significant, and when you combine it with technical and regulatory issues, clearly there’s only so many hours in a day,” says Beer. BISOs can help alleviate that pressure and bridge the gap between business units that have their own complexities. Yet companies shouldn’t assume that they can get away with only hiring specialists to solve a particular problem and forgo an “everything CISO.”
“When you’re seeing an organization that only wants a narrow band of security, typically it’s because they’re seeing a risk in that area, and they’re not aware yet of risks or pain in other areas,” says Matthew Rosenquist, a former cyber leader at Intel who is now CISO at cloud security firm Eclipz.io.
A steering committee for cybercrime is a must-have. Such a group can go by varying names such as the security executive council or the enterprise risk committee. Its purpose is to bring together stakeholders from different parts of an organization, including the COO, CIO, general counsel, and division leaders. Many companies also place board members on such committees.
At its best, a steering committee helps enact plans for managing vulnerabilities and incident responses, as well as facilitating communication between business unit leaders and the CISO.
“You can’t say, I’m just going to hire a CISO and they’ll make things secure, nobody else has to do anything. That doesn’t work and you’re going to pay for it if you try,” Rosenquist says.
However, some committees end up being ineffectual. Why? Because they lack clear operating procedures or authority to force compliance with new policies. Kayne McGladrey, who consults with individual clients for the security firm Hyperproof, recommends reviewing corporate governance procedures to ensure that a committee can have real clout. “If it doesn’t have the authority to make independent decisions, you can have a lot of smart people who make recommendations that go nowhere,” he says.
SecOps, which combines cybersecurity and IT operations, is one of the most critical pieces of a company’s security organization, acting as a watchtower staffed with “threat hunters,” IT professionals who identify and investigate potential intrusions. SecOps relies on a group of integrated programs that automates threat analysis and remediation known as security orchestration, automation, and response (SOAR) software.
The rapid improvement in SOAR software has given rise to the fusion center, which is similar but has a broader remit than SecOps. Fusion centers combine detection, threat intelligence, and data and user analytics but have more connection points to the rest of the company. Unlike SecOps that is often seen as siloed, fusion centers constantly report into and advise the rest of the business on threats.
The cloud, for all its benefits, has also been responsible for increased vulnerabilities that businesses must now mitigate against and monitor. The profusion of data has led to so-called third-party attacks, where hackers steal a company’s data to target its vendors. These attacks can even extend to fourth parties—for instance, a third-party vendor that stores data in its own cloud service.
In response to these problems, security teams must consider how to safeguard data at every step of the journey using a zero-trust framework. If the company uses an off-premises cloud service, it must erect new controls over how, why, and when data is transmitted to or from that service. At the same time, the company’s own on-premises systems cannot be trusted. If security in the past was like a house, with an assumption of safety once you’ve unlocked and passed through the front door, the new paradigm is a fortress, with multiple inner lines of defense.
“This is basically about micro-segmentation,” summarizes Rosenquist. “Instead of big walls on the outside and soft in the center, you have walls all over the place and you’re constantly asking what should be allowed.”
The new era of cloud computing is a wake-up call to companies that have delayed investment in cybersecurity—threats aren’t getting any easier to handle and security can’t be siloed away from the rest of the company.
Other units that can form under the domain of the CISO include app security, emergency ops, program management, people security, and security architecture. Ultimately, the necessity of these roles depends on a company’s scale, industry vertical, and values.
The best teams will be built not only by CISOs, but by board members, business leaders, security vendors, and others who can take those risks into account.
Being prepared for cyber attacks has never been more critical. In 2021, intrusions increased 50% with an average cost of $387 million per breach for some of the largest attacks. While there is no one-size-fits-all structure to a cybersecurity organization, several models have emerged that point the way to one that communicates and acts effectively across all business levels.
A strong cybersecurity organization begins with a chief information security officer (CISO), who may be a generalist or a specialist. Experts note that companies that hire a specialist may find themselves limited when other cybersecurity areas emerge in need of other expertise.
Backing up the CISO should be a cybersecurity steering committee with top-level executives that help with strategy as well as communication with other business leaders. The CISO oversees security operations and the fusion center, two groups that build protections, monitor threats and vulnerabilities, and address any breaches.