Security teams need people who understand tech and can communicate effectively with non\u2011technical colleagues\n\u00a0A council made up of execs from across the company can help elevate the importance of security\nEmerging software tools can help compensate for overstretched staff\n\nSecurity organizations are between the proverbial rock and hard place.\nCybercrime is rampant\u2014hackers caused an estimated $21 billion in losses to U.S. companies in 2017, according to Accenture. Every year, attacks get more sophisticated and harder to detect and recover from. Meanwhile, security organizations are understaffed. It\u2019s hard enough to fill entry\u2011level positions from a depleted global talent pool, let alone find a qualified chief information security officer.\nHow should a company structure its security organization to combat modern threats and account for staffing and skill constraints?\nTo find answers, we interviewed a diverse group of experts\u2014CISOs, analysts, security companies, and management consultants. We also tapped academic research, such as an influential\u00a0CISO org model\u00a0developed by Carnegie Mellon University and the Software Engineering Institute.\nThe next\u2011generation security team we describe below covers core responsibilities like safeguarding software, monitoring networks, incident response, and training employees. We acknowledge the reality that most security teams are likely to remain shorthanded for the next few years.\nThe CISO\nDespite the title, most CISOs didn\u2019t have C\u2011level responsibilities when the role emerged in the 1990s. Typically, the senior security person reported to the CIO. Today, while the debate is hardly settled, there\u2019s a growing consensus that CISOs must report to the CEO to be truly empowered.\nThat\u2019s also a reflection of how the job has changed. The CISO can\u2019t just be a techie. Doing the job well now means educating everyone in the organization and successfully advocating for the budget to fight threats that are often hard to see and understand. In recognition of this broader mandate, some companies, such as health tech company Welltok, merge the CISO and CIO roles into one.\n\u201cIt is not a stretch to find CISOs with the appropriate technical skills,\u201d says David MacLeod, Welltok\u2019s CISO\/CIO. \u201cIt\u2019s difficult, however, to find ones with the right business sense and people skills.\u201d\nIt\u2019s no surprise that the CISO role is still\u00a0one of the hardest tech roles to fill, with a shortage of experienced senior\u2011level recruits.\nSecurity executive council\nWithout buy\u2011in from other parts of the organization, any CISO will likely fail. Conversely, without insights from the CISO, the rest of the organization won\u2019t fully embrace security strategy and culture.\nA security executive council can help solve both problems. Made up of stakeholders from other parts of the organization, such as the COO, CIO and general counsel, this group helps the CISO understand and move in sync with the company at large, and also helps get buy\u2011in for training programs and other key initiatives.\n\u201cEven though the word \u2018committee\u2019 brings with it a sense of frustration, I think committees that have good representation from different parts of the organization can be key,\u201d says William Beer, principal advisor specializing in cybersecurity at Ernst & Young. \u201cIt\u2019s really about the tone from the top.\u201d\nRead the full article on ServiceNow\u2019s Workflow site.\nTo learn more, visit ServiceNow\u2019s website dedicated to CIOs and education about the benefits of machine learning.