by Charlotte Trueman

Does your organisation need a CISO?

Dec 14, 2018
CareersIT LeadershipSecurity

How rising data security fears have boosted the role of the Chief Information Security Officer

It seems like every time we turn on the news we’re confronted with a story about a high-profile company suffering a major data breach that has affected thousands, if not millions of their customers.

Unfortunately, we’re in danger of becoming immune to these stories, seeing them as nothing more than business as usual.

The truth is, data security has never been more important. The introduction of the EU’s General Data Protection Regulation (GDPR) was testament to that, forcing companies across the globe to get serious about how they collect, store and destroy the personal information of their customers.

The state of California has also passed its own law that mimics GDPR in order to boost the rights consumers have surrounding their own data.

As a result, a growing number of companies are actively hiring a dedicated CISO/CSO (Chief Information Security/Chief Security Officer) to help them handle sensitive data and mitigate the very real threat of data leaks or breaches that can cost organisations both financially and in terms of reputation amongst their customers.

According to Ponemon Institute’s 2017 Cost of Data Breach Study, in 2017 the average cost of a data breach across the ASEAN region was US$2.29 million. The report also found that appointing a CISO could reduce the cost of said breach by about US$5 per stolen record.

While hiring is CISO has its clear benefits, it doesn’t guarantee your business won’t be hit by a cyberattack. However, there is very little downside to improving internal security practices and hiring someone with a fundamental understanding of how security systems work.

The role of the CISO

As the nature of the threat landscape has evolved over the past few years, so too has the role of the CISO. A position that was once purely focused on the technical has now become more business orientated, with CISOs needing to take a proactive and business-focused approach to security.

While the role still oversees the hiring of an internal security team, CISOs must now also take responsibility for deploying security hardware, setting, reinforcing and updating a company-wide security strategy and auditing current systems to monitor any potential security flaws and mitigate future risks.

With different countries and continents implementing their own data governance laws, having a dedicated CISO can also prove crucial in allowing your organisation to conduct business overseas.

Why CISOs matter more than ever in 2019

Between 27th June and 4th July this year, a cybercriminal gang stole the medical records of 1.5 million citizens from one of Singapore’s biggest healthcare groups, SingHealth.

The hackers used a malware infected computer to gain access to the database, but officials said there has been a sustained and specific attack against the Prime Minister, Lee Hsien Loong, who medical records were stolen in this breach.

In July 2016, Vietnam Airlines suffered a data breach that saw hackers get their hands on the personal information relating to 410,000 customers. The attack was carried out by self-proclaimed Chinese hackers who compromised the national flag carrier’s website.

The data stolen, which was then leaked on the internet, belonged to VIP members of the airline’s Lotusmiles scheme. It included names, birthdays and addresses.

Despite the continued growth of the digital economy throughout the ASEAN region, levels of cybersecurity readiness fluctuate significantly from country to country. To date, Malaysia, Singapore and the Philippines currently have some data privacy laws in place.

Furthermore, a report by A.T. Kearney states that the region is a hotbed for cyberattacks, with countries like Vietnam and Indonesia playing host to significant amounts of suspicious web activity and malware launch pads.

As a nation, Singapore has a robust cybersecurity infrastructure. However, research by ServiceNow has shown that CISOs in Singapore are, on average, lacking the resources necessary to make their company’s security strategy a success.

However, earlier this month, the Data Protection Excellence Network announced plans to provide better support for recruiters in boosting the number of Data Protection Officers (DPOs) in the region.

Advertised positions for data privacy experts in Singapore grew 23% year-on-year in September 2018, compared to the same period last year.

Unfortunately, this is not enough to mitigate the security concerns dominating the rest of the continent.

An overwhelming 75% of CISOs in Asia are worried that data breaches are going unaddressed, with a further 71% raising concerns about their ability to even detect the breach in the first place.

Does your organisation need a CISO?

For the majority of large scale organisations, employing a CISO makes sense from both a financial and a security perspective.

As the threat landscape becomes harder to navigate, leaving the safety of personal data to chance is a risk most companies are no longer willing to take.

However, for smaller companies that lack the budget, structure or means to hire a dedicated security officer, there are other alternative solutions that can be put in place.

Traditionally, the CIO would take responsibility for data security therefore absorbing the role of the CISO back into that of the CIO could help to temporarily bridge the security gap.

The bottom line is, whether it’s your CISO, DPO or someone else inside your company that has responsibility for your security strategy; ensuring they have the budget and support they need to do their job is fundamental.

As threat actors get smarter and cyberattacks become more sophisticated, the security of your company and the data it holds is far too valuable to be left at risk.