7 Must-Fill Security Roles

• Security teams need people who understand tech and can communicate effectively with non‑technical colleagues
•  A council made up of execs from across the company can help elevate the importance of security
• Emerging software tools can help compensate for overstretched staff

Security organizations are between the proverbial rock and hard place.

Cybercrime is rampant—hackers caused an estimated $21 billion in losses to U.S. companies in 2017, according to Accenture. Every year, attacks get more sophisticated and harder to detect and recover from. Meanwhile, security organizations are understaffed. It’s hard enough to fill entry‑level positions from a depleted global talent pool, let alone find a qualified chief information security officer.

How should a company structure its security organization to combat modern threats and account for staffing and skill constraints?

To find answers, we interviewed a diverse group of experts—CISOs, analysts, security companies, and management consultants. We also tapped academic research, such as an influential CISO org model developed by Carnegie Mellon University and the Software Engineering Institute.

The next‑generation security team we describe below covers core responsibilities like safeguarding software, monitoring networks, incident response, and training employees. We acknowledge the reality that most security teams are likely to remain shorthanded for the next few years.

The CISO

Despite the title, most CISOs didn’t have C‑level responsibilities when the role emerged in the 1990s. Typically, the senior security person reported to the CIO. Today, while the debate is hardly settled, there’s a growing consensus that CISOs must report to the CEO to be truly empowered.

That’s also a reflection of how the job has changed. The CISO can’t just be a techie. Doing the job well now means educating everyone in the organization and successfully advocating for the budget to fight threats that are often hard to see and understand. In recognition of this broader mandate, some companies, such as health tech company Welltok, merge the CISO and CIO roles into one.

“It is not a stretch to find CISOs with the appropriate technical skills,” says David MacLeod, Welltok’s CISO/CIO. “It’s difficult, however, to find ones with the right business sense and people skills.”

It’s no surprise that the CISO role is still one of the hardest tech roles to fill, with a shortage of experienced senior‑level recruits.

Security executive council

Without buy‑in from other parts of the organization, any CISO will likely fail. Conversely, without insights from the CISO, the rest of the organization won’t fully embrace security strategy and culture.

A security executive council can help solve both problems. Made up of stakeholders from other parts of the organization, such as the COO, CIO and general counsel, this group helps the CISO understand and move in sync with the company at large, and also helps get buy‑in for training programs and other key initiatives.

“Even though the word ‘committee’ brings with it a sense of frustration, I think committees that have good representation from different parts of the organization can be key,” says William Beer, principal advisor specializing in cybersecurity at Ernst & Young. “It’s really about the tone from the top.”

Read the full article on ServiceNow’s Workflow site.

To learn more, visit ServiceNow’s website dedicated to CIOs and education about the benefits of machine learning.