Cybersecurity Leadership Demystified E-Book

Cybersecurity Leadership Demystified

A comprehensive guide to becoming a world-class modern cybersecurity leader and global CISO

Dr. Erdal Ozkaya

BIRMINGHAM—MUMBAI

Cybersecurity Leadership Demystified

Copyright © 2022 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Group Product Manager: Vijin Boricha

Publishing Product Manager: Mohd Riyan Khan

Senior Editor: Shazeen Iqbal

Content Development Editor: Romy Dias

Technical Editor: Shruthi Shetty

Copy Editor: Safis Editing

Project Coordinator: Shagun Saini

Proofreader: Safis Editing

Indexer: Sejal Dsilva

Production Designer: Shankar Kalbhor

Marketing Coordinator: Hemangi Lotlikar

First published: January 2022

Production reference: 1040122

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham

B3 2PB, UK.

ISBN 978-1-80181-928-2

www.packt.com

This is my sixteenth book with my name on the cover and, like its predecessors, this book represents several years of in-depth research, analysis, and real-life work experience.

Each book takes a lot of time to come into your hands, and each book means I am stealing time from my most loved ones. Like all my other books, I would like to dedicate this book to my wife, Arzu, my son, Jemre, and my daughter, Azra. Their endless love and support are motivating me to do even more.

In this book, I have a special "Ask The Expert " section, like in some of my other books, and I'm honored to welcome Dr. Timothy Summers, Dr. Suleyman Özarslan, Dr. Mike Jankowski, and my very close friends Marcus Murray, Raymond Comvalius, Sukru Durmaz, Raif Sarica, Vladimir Meloski, Paula Januszkiewicz, and Mert Sarica. They shared their time, insight, and experiences freely and without reservation. I am thankful for the contribution of their expertise and wisdom in this book.

Additionally, I thank the Packt team for their support.

Foreword

The Chief Information Security Officer (CISO) executive plays one of the most critical roles in today's business environment. Together with their team, they evaluate all possible security risks that face an organization, and subsequently develop and put in place measures that will minimize these risks and the impact of these risks if a security incident occurs.

The CISO communicates all the identified risks to all the stakeholders of an organization and makes decisions on the best means to achieve higher levels of security while considering all the business repercussions of their decisions. This book focuses on the role of the CISO and how they go about playing their role to ensure heightened security for the organizations they work for. In a world of increased cyber dangers, which are continually evolving, every business now needs to have an individual who will play the role of the CISO in an organization to help keep the business more secure from cyber-attacks.

The cyber-world presents many dangers to the modern business landscape, especially with the increased integration of technology into all parts of modern businesses. Some of these dangers manifest in the form of hacks leading to loss of data, access to systems, disruption of business operations, and loss of finances, especially when the attackers corrupt systems and/or steal data and ask for a ransom to return the stolen data. CISOs need to coordinate with all the business departments to ensure that all the business operations are conducted securely and that cyber attackers do not find loopholes in the system to exploit. This book addresses all cybersecurity issues that relate to the CISO role including laws and policies that an organization needs to comply with to enhance the cybersecurity aspects of its business operations.

The book will immensely benefit CISOs as it highlights how critical their role is, how their role has been evolving in the recent past, and what they can do to improve their effectiveness in the CISO role. The CISO executive's role in HR by helping with the hiring of the right personnel, their contribution to optimal budgeting functions, and their increased importance to long-term strategic decision-making for organizations are some of the roles that are discussed in detail throughout the book.

The current cybersecurity posture

As you all know, malware/ransomware is legitimate code (within the context of the CPU instructions) that is doing illegitimate things. The code is legitimate because the CPU understands and executes the code in this executable file that we call malware/ransomware. However, what this code does is bad for us…so why are we allowing this malware/ransomware to execute?

Today, the vast majority of the cybersecurity world works with allow everything, deny the bad. They try to deny the bad by trying to detect it by using AI, machine learning, heuristics, behavior analysis, and Endpoint Detection and Response (EDR). I must say, the results speak for themselves! Breach after breach, damage after damage!

The amount of money spent on cybersecurity compared to the damage sustained is unacceptable, all because of a poor posture choice.

This posture is not a posture you can achieve. It's an impossible posture! You cannot deny the bad if you don't know that it's bad! It's mathematically impossible. Detection cannot be, should NOT be, the first of the ONLY method for protection! 100% detection does not exist. It's a scientific fact! No cybersecurity product can detect 100%!

The bottom line is that allowing everything while denying the bad means when you fail to detect something, you get breached! This posture gives you a guaranteed breach, mathematically speaking. Yep, it's guaranteed that you will be breached!

Ask yourself this question: "How will you prevent damage when your cybersecurity product fails to detect?" No matter what the detection method may be (AI, machine learning, heuristics, behavior, signature, and so on), they all are trying to detect something bad…and they can never be 100% accurate.

Coming back to posture, allow the good, deny the rest is a posture you can achieve, but it's not user friendly. Why? Because people don't want to be restricted and want to run applications.

We need a new cybersecurity posture that can give us the best of both worlds: allow the good but also allow the rest with Attack Surface Reduction (ASR).

Here is a brand-new security posture, where you allow the good, but you also allow the rest, but in an environment with an ASR.

This way, you are not restricting users by denying any application from running on their computer, but you are denying any unknown ransomware and malware from causing damage because they run in a restricted (ASR) mode in which they are not allowed to cause damage.

A takeaway thought: If you were the guy creating the ransomware, would you be stupid enough to release it knowing that it will be detected right off the bat, or would you first make sure it can't be detected, before you unleash it?

Empowering and protecting your end users

We have one goal: to empower and protect our end users. My motto is "look after our users, money will follow." It works, and it always has. We put our users first. We know that our users empower our business with their business. It's a beautiful relationship that works.

Everything we do is designed to either empower or protect the end users. It's as simple as that, and I highly recommend that CISOs follow this approach. You are the protectors of your organization, customers, co-workers, and shareholders. You need to ensure your users are empowered and protected at the same time. Throughout this book, you will learn many different ways to do so. Erdal did a great job. I believe you will learn a lot. I encourage you to seriously consider the lessons in this book, and I wish you all the best in your journey.

Melih Abdulhayoglu

CEO at MAVeCap

Innovator, engineer, entrepreneur, and cybersecurity leader

Contributors

About the author

Dr. Erdal Ozkaya is a passionate, solutions-focused professional with a comprehensive global background in information technology and cybersecurity.

He worked at Standard Chartered, where he was regional CISO and managing director of the Middle East, Africa, and Pakistan. Before working at Standard Chartered, he was a trusted security advisor and cybersecurity architect at Microsoft, where he perfected the art of mapping customer business problems to technology solutions. He remains committed to delivering accurate, accessible resources to inform individuals and organizations of cybersecurity and privacy matters in the internet age.

Dr. Ozkaya is a collaborative team leader with expertise spanning end-to-end IT solutions, management, communications, and innovation. He is a well-known public speaker, an award-winning technical expert, an author, and a creator of certifications (courseware and exams) for prestigious organizations such as Microsoft, EC Council, and other expert-level vendors with an esteemed list of credits to his name. Dr. Ozkaya is a graduate of Charles Sturt University in Australia.

About the reviewers

Dr. Deepak D. Kalambkar is an IT professional/author with a doctorate in cyber law, a certified ISO 27001 auditor, and a CISO with over 20 years of experience in designing and managing IT infrastructure and creating policies. His experience includes installing and managing Windows/Linux servers, IT policy management, and managing teams of engineers both in-house and outsourced to generate optimum infrastructure efficiency. He works with Safexpay as VP Infosec with the vision to build a digital platform infrastructure that will transform the payment and banking needs of every business globally. Its robust and seamless payment products allow businesses to transact securely and the company is committed to the digital future. He has been honored with several awards and certifications.

Nikolaos (Nick) Thymianis is an information security professional with over 4 years of experience in IT, currently working in Infosec for one of the biggest pharmaceutical companies in the world. Nick has broad knowledge in securing enterprises through incident response, penetration testing, threat hunting, table-top exercises, enterprise architecture, and IT operations. He holds a degree in information security. He is an advisor at the University of Piraeus and has spoken at multiple events as an information security expert.

Table of Contents

Preface

Chapter 1: A CISO's Role in Security Leadership

Defining a CISO and their responsibilities

Definition of a CISO

Responsibilities of a CISO

What exactly is a CISO?

Understanding the similarities and differences between a CISO and a CSO

Distinguishing between a CIO, a CTO, and a CISO

Designing a security leadership role

Expanding the role of a CISO

The changing role of a CISO

How to become a CISO

CISO responsibilities

Who should not become a CISO?

Learning about CISO certification

EC-Council CISO program

CCISO program

Other certifications

Summary

Further reading

Chapter 2: End-to-End Security Operations

Evaluating the IT threat landscape

Knowledge of company operations

Assessment tools

Trends in cyber threats

Devising policies and controls to reduce risk

Internal staff policies

Other company policies

Leading auditing and compliance initiatives

Anti-malware and anti-spyware software

Compliance with international regulations

Examples of regulations and regulatory bodies

Managing information security initiatives

Strategic security planning

The hiring of a security team

Establishing partnerships with vendors and security experts

Establishing partnerships

Security experts as a knowledge resource

System security evaluation tools

Creating long-term working relationships with vendors

Establishing clear communication channels

Customer advisory groups

Summary

Further reading

Chapter 3: Compliance and Regulations

Defining data compliance

Understanding GDPR

The history of GDPR

GDPR key definitions

GDRP data protection principles

The CISO role in GDPR

Learning about HIPAA

Privacy rule

Right to access PHI

Potential risks

The three HIPAA rules

Introducing the CCPA

What does the CCPA entail?

The CCPA rights

Personal information

Failure to comply with the CCPA

Understanding the HITECH Act

Important HITECH amendments and provisions

Goals of the HITECH Act

Getting to know the EFTA

History of the EFTA

The EFTA requirements for service providers

Introducing COPPA

COPPA violations

COPPA compliance

Learning about Sarbanes-Oxley

History of the Sarbanes-Oxley Act

Key provisions of the Sarbanes-Oxley Act

Understanding FISMA

Reasons for creating FISMA

FISMA compliance

FISMA non-compliance penalties

Finding out about PIPEDA

Understanding IT compliance and the CISO's role

Summary

Further reading

Chapter 4: Role of HR in Security

Understanding security posture

Security posture features

IT assets inventory

Security controls

Attack vectors

Attack surface

Automating the security posture

Ways of improving an organization's security posture

Assessing an organization's security posture

Important steps in security posture assessment

Exploring human error and its impact on organizations

Preventing insider security threats

Hiring procedures

Performing verification checks for job candidates

Security education and training

Security risk awareness

Organizational culture

Policies for IAM

General safety procedures

Employment procedures

Vendors, contractors, and consultants – procedures

Tight hiring practices

Using strong authentication mechanisms

Securing internet access

Investigating anomalous activities

Refocusing perimeter strategies and tools

Monitoring misuse of assets

Summary

Further reading

Chapter 5: How Documentation Contributes to Security

Why information system documentation for security is important

What is information security documentation?

Why document?

Approving the security documentation

Maintaining the security documentation

Communicating the security documentation

Understanding compliance with documentation

ISO 27001

Describing some examples of cybersecurity documents

Information security policy (ISP)

Incident management plan (IMP)

Risk management

Disaster recovery (DR) and the business continuity plan (BCP)

Tips for better security

Building a cyber strategy plan

Why do we need to build a cyber strategy?

How to build a cyber strategy

Best cyber-attack strategies

Best cyber defense strategies

Summary

Further reading

Chapter 6: Disaster Recovery and Business Continuity

Integrating cybersecurity with a DPP

BIA

Classification of data

DRaaS

Developing a communication plan

Automated testing processes

Immutable data backups

Data reuse

Continuous updates

Long-term planning

Understanding the relationship between cybersecurity and BC

Planning for ransomware and DoS attacks

Using quality backups

User training and education

Learning about supply chain continuity

Introducing the key components of a BC plan

How to identify BC risks

Types of DR

Using AI for DR and BC processes

Emerging technologies in the DR and BC landscape

Tips on building a strong and effective DR plan

Importance of a certified and skilled cybersecurity workforce

Summary

Further reading

Chapter 7: Bringing Stakeholders On Board

Evaluating business opportunities versus security risks

The role of a CISO in risk management

Optimal budgeting

Communication

Corporate governance

Duties of top management in an organization

Reporting to the board of directors

Getting employees on board

Getting customers on board

Getting shareholders on board

Getting the community on board

Summary

Further reading

Chapter 8: Other CISO Tasks

Contributing to technical projects

Partnering with internal and external providers

Security policies implementation

Security planning needs resources

Role in recruitment

Partnering with security tool providers and consultants

Evaluating employee behavior

Employee motivation

The remuneration and rewarding systems

Employee skill level

User and entity behavior analytics (UEBA)

Financial reporting

Addressing cybersecurity as a business problem

Summary

Further reading

Chapter 9: Congratulations! You Are Hired

How to get hired as a CISO

Qualifications for a CISO job

Job experience

Communication ability

Leadership skills

Steps to follow to become a CISO

The top skills required to succeed as a CISO

Your first 90 days as a CISO

List of dos in the first 90 days

Summary

Further reading

Chapter 10: Security Leadership

Developing suitable security policies

Communicating cybersecurity issues clearly

Getting a bigger budget

Leading by example

Having training conferences and seminars for employees

Building a cybersecurity strategy

Telling your story

Presenting to the board

Leadership and team

Summary

Further reading

Chapter 11: Conclusion

Defining the CISO role and what the role entails

How a CISO ensures E2E security operations are in place in an organization

The compliance factor and how a CISO addresses the issue

The role of HR management in cybersecurity issues

How documentation plays a huge role in effective security leadership

DR and BC factors in cybersecurity

Understanding the role of various stakeholders in an organization

Other CISO roles in an organization

Getting hired as a CISO executive

What security leadership entails

Summary

Chapter 12: Ask the Experts

Protecting and defending your organization from cyberattacks – by Marcus Murray

Path to becoming a successful CISO – by Adel Abdel Moneim

Recommendations for cybersecurity professionals who want to be CISOs – by Mert Sarica 

How a modern CISO could work on improving security within their organizations and maintain a good cybersecurity posture – by Dr. Mike Jankowski-Lorek and Paula Januszkiewicz

Advice for a CISO – by Raif Sarica and Şükrü Durmaz

Cybersecurity leadership demystified – Pave your way to becoming a world-class modern-day cybersecurity expert and a global CISO – by Dr. Timothy C. Summers

The future of cybersecurity leadership – by Timothy C. Summers, Ph.D.

Working with security experts – by Vladimir Meloski

A CISO's communication with the board on three critical subjects – by Dr. Süleyman Özarslan

Crush the triangle – by Raymond Comvalius

Another Book You May Enjoy

Preface

Being in an industry that has all the spotlights sounds great. Advising board members on the importance of cybersecurity, being in touch with departments from finance to HR, working closely but separately with IT, overviewing even physical security, and, depending on your organization, traveling and seeing the world as well as having a nice paycheck is perfect.

But be aware that every medallion has two sides to it. You will have countless nights calculating the budget, unrelenting and unforgiving deadlines, trying to sync with a globally distributed team, fighting daily cybersecurity threats, dealing with company politics…it's a list that can quickly make you fear the job, and if it does, then this book and being a Chief Information Security Officer (CISO) might not be right for you.

So, you are a new CISO or want to become a CISO/cybersecurity leader. This means you're interested in having a growth mindset, being mentored while mentoring, and, of course, honing your skills to help take you into the CISO role.

Are you not sure where to start? Then this book is right for you. You will read text from a global CISO who has served CISOs as an advisor in his own company in the Asia Pacific, then at Microsoft in the Middle East, Africa, and Europe region. He holds the CISO title at a global bank, and finally, works in one of the most successful cybersecurity firms in the world as CISO.

Who this book is for

The CISO is responsible for an organization's information and data security. The CISO's role is challenging as it demands a solid technical foundation as well as effective communication skills. This book is for busy cybersecurity leaders and executives looking to gain deep insights into the domains important for becoming a competent cybersecurity leader.

The book begins by introducing you to the CISO's role, where you'll learn key definitions, explore the responsibilities involved, and understand how you can become an efficient CISO. You'll then be taken through end-to-end security operations and compliance standards to help you get to grips with the security landscape. In order to be a good leader, you'll need a good team. This book guides you in building your dream team by familiarizing you with HR management, documentation, and stakeholder onboarding. Despite taking all due care, you might still fall prey to cyber-attacks; this book will show you how to quickly respond to an incident to help your organization minimize losses, decrease vulnerabilities, and rebuild services and processes. Finally, you'll explore other key CISO skills that'll help you communicate at both senior and operational levels.

By the end of this book, you'll have gained a complete understanding of the CISO's role and be ready to advance your career.

What this book covers

Chapter 1, A CISO's Role in Security Leadership, explains who and what a CISO is, the requirements of the CISO role, the differences between other technology leadership roles, and what is required in the role for you to be successful. The chapter also covers how to develop the core components needed to be a good CISO for your organization.

Chapter 2, End-to-End Security Operations, covers a day of a CISO and their end-to-end security operations and presents CISO activities that make up this strategy.

Chapter 3, Compliance and Regulations, highlights the issues of data management, data protection, as well as various laws and regulations that have been developed to protect user data. The role of the CISO in data management is to ensure that firms are compliant with regulations to prevent fines, as well as safeguarding companies' reputations.

Chapter 4, Role of HR in Security, addresses the role of CISOs in HR management and intends to show how the HR department is critical to the security of an organization and how CISOs use HR management to improve organizational security.

Chapter 5, How Documentation Contributes to Security, handles the role of documentation in security and the sectors that need to be documented. Documentation helps keep all security processes in check and aids in the evaluation of the current security situation to determine whether updating is required.

Chapter 6, Disaster Recovery and Business Continuity, covers cyber-attacks, data breaches, and how you can build a cyber response and disaster recovery plan based on risk management.

Chapter 7, Bringing Stakeholders On Board, evaluates the CISO's task of security onboarding by evaluating business opportunities versus security risks as well as how a CISO can budget optimally.

Chapter 8, Other CISO Tasks, looks at other important roles CISOs play in an organization, which include such roles as contributing to technical projects, partnering with internal and external providers, evaluating employee behavior, financial reporting, and addressing cybersecurity as a business problem.

Chapter 9, Congratulations! You Are Hired, shows the practical application of what we have learned about the duties of the CISO in an organization and the CISO's first 90 days on the job.

Chapter 10, Security Leadership, provides insights into your role as a security leader in an organization and how to offer security leadership in the most effective manner.

Chapter 11, Conclusion, highlights the dos and don'ts of the CISO role.

Chapter 12, Ask the Expert, is where experts explain their tips and recommendations for CISOs and everyone who wants to be a CISO.

Download the color images

We also provide a PDF file that has color images of the screenshots and diagrams used in this book. You can download it here: https://static.packt-cdn.com/downloads/9781801819282_ColorImages.pdf.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, email us at [email protected] and mention the book title in the subject of your message.

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata and fill in the form.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Share Your Thoughts

Once you've read Cybersecurity Leadership Demystified, we'd love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.

Your review is important to us and the tech community and will help us make sure we're delivering excellent quality content.

Chapter 1: A CISO's Role in Security Leadership

In this day and age, the security of internet-connected devices and applications has increasingly become critical to the success of firms operating in the internet space. While the internet has provided numerous opportunities for businesses to conduct business, expand their operations, and reach their customers more easily, it has also introduced cybersecurity risks to both the businesses and the customers that interact with these businesses via digital platforms.

Cybercrime has been on the rise in recent years, and data breaches continue to wreak havoc among many companies globally. It has become essential for all businesses that deal with financial and other important data from customers to implement security measures in their organizations to ensure their organizations remain secure. Organizations now have departments that exclusively tackle security issues that affect an organization resulting from interactions with the digital world.

One of the key positions in modern organizations is the chief information and security officer (CISO), who is generally tasked with security-related duties.

In this chapter, you will learn who and what a CISO is, the requirements of the CISO role, the differences between other technology leadership roles, and what is required in the role for you to be successful. The chapter will also cover how to develop the core components needed to be a good CISO for your organization.

You can expect the following topics to be covered in this chapter:

Defining a CISO and their responsibilities

In this section, we provide a definitive description of the term CISO, the role of a CISO in a firm, and the importance of this position in any modern organization. The section attempts to provide readers with an introduction to the world of digital platforms, the role they play in organizations, and the integral role that CISO executives play in making all this happen.

Definition of a CISO

A CISO has an executive-level position within an organization and is tasked with establishing and maintaining various mechanisms and structures that safeguard the informational and technological assets of the organization. CISOs are technologists who can participate in high-level initiatives as business strategists. CISOs ensure that information technology (IT) systems comply with security and regulatory requirements. In summary, a CISO is the top cyber executive of an organization.

The following screenshot shows a man interacting with a digital device that bears the name CISO and depicts a lock. It confers a message of the core role of CISO executives, keeping digital platforms safe from external threats:

Figure 1.1 – A CISO executive keeping digital platforms safe from external threats

In the next section, you will discover the responsibilities of a CISO.

Responsibilities of a CISO

The main responsibilities that a CISO performs in an organization include the following:

These three items are the overarching responsibilities that define the main responsibilities of a CISO in any organization. On the other hand, some of the more minor responsibilities include the following:

The next section will clarify what a CISO executive does in an organization.

What exactly is a CISO?

Before we dive deep into the nuances of cyber chiefs' career paths, it is important to understand the nature of the role. Six critical responsibilities underpin a CISO's success, and we'll look at these roles in the following sections.

Trusted security advisor

As a CISO, you need to translate technical matters into the language of the business. In other words, you will be helping non-technological executives and boards understand technical matters and help them make risk-informed decisions confidently.

Strategist

As a CISO, you need to get involved in setting goals, determining actions to achieve the goals, and mobilizing resources to execute prioritized actions that need to be tightly linked to the business strategy.

Leader

As a CISO, you need to have leadership skills not just to build an inspired and bonded diverse team, but also set an example as a role model to create a culture of constant learning, innovation, and active collaboration.

Modern marketer

Modern marketing is the ability to harness the full capabilities of a business to provide the best experience for the customer and thereby drive growth. As a CISO, you need to evangelize cybersecurity capabilities to regulators, client prospects, insurers, and business partners—helping win new business, lower the cost of capital, and maintain a license to operate.

Change agent

CISOs should be able to create a cyberculture whereby everyone in the organization understands cyber risks and helps to mitigate them.

Influencer

CISOs should be able to influence critical stakeholders to support the cybersecurity transformation.

This section has shown what a CISO does in an organization and the various core roles they play within an organization. However, there are other similar roles in an organization, and the next section seeks to clarify the distinct role of a CISO in relation to roles played by other officers in an organization.

Understanding the similarities and differences between a CISO and a CSO

In some organizations, the roles of a CISO and a CSO may be synonymous. If an organization has a position for both individuals, it is most likely that they will have redundancy of roles. Both executive positions in an organization have similar roles, with subtle differences between the two. Both executives are responsible for securing information and assets such as information in an organization. A CSO is normally tasked with the security of people, processes, and products, while a CISO is tasked with specific security issues that ensure that people, processes, and products are protected. In many organizations, however, these two roles are used interchangeably, or one individual may perform both functions.

However, it is important to note that having two individuals playing these two roles in an organization can lead to conflicting scenarios due to the overlapping roles of the two executives and the ever-evolving nature of the challenges that could be classified under both roles. A CISO is tasked with supervising a company's cybersecurity by designing and implementing an organization's security program to deter and curb any security threats that may face the organization. A CSO also plays a similar role in an organization and ensures that the organization is safe from cyber threats and that all organizational assets, processes, and people are safe from both internal and external threats.

With the digital landscape continuously evolving, both a CSO and a CISO are required to keep up to date with current technological advances and changes. This requirement ensures that they keep abreast of any current changes in the digital sphere and evolving threats as well. Without continuous updates, adversaries will have an upper hand, and these two executives will have failed in their roles. Therefore, both executives are similar in their need to continually update their knowledge base to carry out their roles effectively.

This section has differentiated the CISO role from that of a CSO. Next, we will look at what differentiates the role of a CISO from those played by CIO and CTO executives in an organization.

Distinguishing between a CIO, a CTO, and a CISO

In many organizations, CIOs are the foremost leaders of IT departments, answerable directly to the chief executive officer (CEO) or the board of directors. They oversee strategic IT investments, manage IT operations, and lead digital transformations within an organization. If an organization is planning on making huge infrastructural changes that will affect the digital space, the CIO will be tasked with overseeing such projects, ensuring that all organizational information goals are met through the project and that the project meets the long-term mission and vision statements of the organization.

A CTO is an individual in an organization tasked with the integration of new technologies. The role typically requires long-term planning and is concerned with technological infrastructural changes that organizations perform when taking on board new technology or when upgrading to new technology that will see major changes in information flow within the company. A CTO typically reports to the CIO.

Both a CTO and a CIO play roles that are similar to the role of a CISO. Some of their roles may overlap with those of a CISO. The CIO role, in particular, presents the highest similarity level. Having both CIO and CISO executive positions in an organization may prove problematic due to many overlapping roles. A CTO, however, typically works under both individuals and works hand in hand with these two executives in an organization. A CIO mainly deals with the management side of an organization and will usually focus on the internal operations of the organization and how technological changes affect the informational needs of the organization. They are also tasked with coming up with ideal operational changes that can maximize the information available and leverage the information potential of available resources to the benefit of the company.

Now that we have differentiated the roles played by a CTO and a CIO and how they are similar in some respects to those of a CISO, we are going to see what defines the various security aspects in an organization and how the CISO role fits into the security leadership dimension.

Designing a security leadership role

Business organizations are increasingly suffering from digital threats in the form of cyber-attacks that have become a top concern for businesses globally. Some of these cyber-attacks have led to the destruction of business entities. To make matters worse, the ever-changing IT landscape has led to increased threats for businesses. This has increased a need for businesses to invest in the security of informational and technological resources within their business enterprises, hence the establishment of the role of a CISO. Organizations must have a department within their organization that deals in security and safeguarding an organization's assets. A failure to adequately protect an organization from both internal and external threats will put the business at risk, resulting in successful data breaches, reduced trust in the company from stakeholders and customers, and threats to the continuity of the business.

To design a security leadership role in a company, all factors affecting a business need to be put into consideration. Both internal and external factors will be used in designing the role of a security leader in a business setup. Internal factors include such things as the available resources of a company, the digital space in which a business operates, and the informational needs and plans of an organization. These various factors will help determine the kind of plans an organization needs to put in place to define the position of the security leader—in this case, the CISO. The external landscape that affects business operations is also crucial to the designing of a CISO role. The business operations and the digital environment it requires to operate will determine the kind of threats facing a company and the kind of responses a business will initiate to handle security risks and threats to their business operations.

After understanding the security leadership requirements in an organization and how a CISO fits into this description, we will next define how the CISO role has been evolving.

Expanding the role of a CISO

The role of a CISO has been expanding with the changing needs of many business operations. Technology has been changing quickly, leading to businesses having to adapt to their new environment. Many businesses are adopting the internet space and are utilizing this to expand their businesses. Within the internet space, businesses are interacting with other businesses and conducting many transactions on the internet platform. Customers interacting in the digital space provide businesses with personal data, as well as financial information that can be targeted by attackers. A CISO has become a necessity, with more businesses going online not only to promote and advertise their business but also as a means to carry out their business. The online space has become an important channel for business transactions, with thousands of online e-commerce sites sprouting up by the day.

The CISO role has traditionally only dealt with keeping information and systems secure from both outside and inside threats. However, more responsibilities are being added to the portfolio of CISO executives, and the expanding role sees CISOs taking an integral role in the long-term planning and strategic planning of an organization. The very things that introduce information and security risks into a business are the things that are required for the strategic growth of the business—for instance, a business may need to perform an overhaul of its business operations to digitalize and automate many aspects of the business. Such an operation would intend to automate the system to make it more effective and introduce competitive advantage and efficiency into business operations.

However, since a strategic plan introduces new information and security risks, a CISO needs to be included in such plans. Therefore, the expanded role of a CISO requires the executive to be integrally involved in the long-term strategic planning of a business enterprise.

You now have a good idea of how the role of a CISO has been expanding and continues to expand. Next, we'll go over the evolving nature of the CISO role.

The changing role of a CISO

The role of a CISO is not what it was 5 or 10 years ago. According to those who find themselves in the role today, that's not necessarily a bad thing.

In the past, it used to be that CSOs were over-glorified IT security administrators, babysitting the firewalls, arguing with software vendors over botched antivirus signature updates, and cleaning spyware off of infected laptops and desktop PCs. True—that's still the role some CSOs find themselves in, but for the majority, the responsibility has shifted to looking at the big picture and designing a program that balances acceptable risks against unacceptable ones.

In an ideal world, today's CISO hires someone else to handle all those technical security tasks. Of course, a question remains as to whether you can inspire them to do what you once had to do or if you'll turn them off with an attitude of superiority.

The role of the CISO is ever-evolving due to the ever-changing IT landscape. Every day, new threats arise that a business needs to be wary of. Cybercriminals are always finding new ways to attack the new system, using such means as new viruses and intrusion systems. The changing environment means that a CISO cannot have a fixed role; the role of a CISO will keep changing as the information needs of a company change and the operations of a business change to reflect new informational needs. Also, when a business invests in new technological infrastructure, business operations will change to accommodate the new technology, along with the new security challenges that come with these changes to business operations. A CISO role will therefore change with the evolving needs of an organization.

A business is always in competition with other businesses in its respective industry. One of the ways a business beats the competition is through the introduction of new business applications and technology that processes data and business transactions more efficiently. The introduction of new technology into business operations is a common means of achieving an edge over the competition. However, the introduction of new technology and implementation of the same into a business introduces new processes that come with unique challenges.

A CISO role is, therefore, flexible and needs to adapt to the changing environment to remain effective. In a multi-department business, security risks may arise from operations affecting particular departments. Because of this, a CISO executive needs to have unparalleled access to all departments within a business to be most effective.

How to become a CISO

There is no direct path to the CISO role. While this is true, it's really important to hire the right talent. Being a CISO used to be a hardcore cybersecurity role; however, the function of a CISO involves much more business leadership and risk management.

Today, a CISO must be able to help executives at a C-suite level to understand risk. CISOs in any enterprise organization must have skills to be able to explain security for non-techies, build and maintain critical relationships, and communicate at both senior and operational levels. Soft skills are critical to evangelizing security initiatives and celebrating wins, which need to be expressed as business outcomes.

CISOs who can develop those skills can sell security to their peers and other business-line executives. So, who can become a CISO? Let's find out who the contenders are here:

Becoming a CISO requires both theoretical and practical knowledge of information security. Practical experience of information security qualifies one insecurity—presently, there are no formal requirements to becoming a CISO executive in organizations globally. However, with the intricate nature of the field and the ever-evolving demands of the role, more expertise may be required for effective CISO experts going forward. The many key responsibilities of a CISO expert may not require someone who has practical experience of information security. However, they may require at least theoretical knowledge in the field of information security to effectively carry out the mandate required of CISO experts.

It is a common misconception that a CISO, given the role they need to execute, must come from a technical background to be an effective executive. However, this need not be the case. A CISO expert often works with other experts as part of a team. The team can have people with practical knowledge in various fields, from data management to data security, as well as networking knowledge. In some cases, all that is required is a good manager to manage the team well to ensure that they perform effective work with the right motivation and direction.

However, with the introduction of certified CISO programs, it is now possible for an individual to have qualifications and certification to prove they can handle the various aspects of the role of a CISO. The program will test a candidate on various skills that are critical to the core roles of a CISO expert in any organization. To become a CISO expert, you thus need to learn the theoretical background regarding the management of data and how information requirements are central to an organization's business operations.

A CISO expert needs to at least understand the IT landscape to enable them to make informed decisions regarding the impact of the changing landscape on the organization. It is critical for individuals pursuing a career in information security to continually update their knowledge base regarding the information security industry. Other fields of knowledge include learning about the tools necessary to carry out some of the tests and security implementations for a business entity. A CISO expert needs to understand the tools available and the kind of threats that can face their entity, as well as the best ways to avert those threats.

In the next section, we will look at some areas of focus of a CISO.

CISO responsibilities

Some of the daily tasks of CISOs are outlined in the following list. Please keep in mind that we will cover a CISO's day, end-to-end, in Chapter 2, End-to-End Security Operations:

Let's now have a look at a comparative viewpoint—who should not become a CISO—in the next section.

Who should not become a CISO?

As a trusted security advisor in the past, I met many CISOs who had no clue about cybersecurity, and unfortunately, those CISOs needed the most help. CISOs should not be just hired based on experience in the company or for just being a program delivery manager. CISOs are much more than just a delivery manager, politician, or someone who has networked well to get the hot seat, which pays well.

Mark my words— organizations that follow this path will have ex-CEOs who blame interns for using weak passwords. (Read the news article here: https://edition.cnn.com/2021/02/26/politics/solarwinds123-password-intern/index.html.)

I met many CISOs depending on our advisory, or they were great leaders but had no clue of what was exactly happening in the cyber landscape. In summary, anyone who is not cyber literate should not think of being a CISO unless they are happy to learn.

In the last section of this introductory chapter, we are going to explore how to become qualified as a CISO.

Learning about CISO certification

To effectively play the role of a CISO executive, you need to be qualified in the information and security aspects of technology alongside other critical skills that are integral to the role of a CISO in an organization.

Not too many organizations focus on CISO training, but we will discuss some of them in the next sections.

EC-Council CISO program

The International Council of Electronic Commerce Consultants (EC-Council) CISO program is one of the globally leading bodies that offer certification to CISO experts to qualify them to carry out various roles that are integral to a CISO executive. The body provides a qualified individual with a Certified CISO (CCISO) certificate. The body focuses on practical experience and recognizes the experience of people in the world of information security in awarding the certification. The body was created by high-level executives that formed a foundation on which the program was built to offer some form of training and recognition to people who were qualified in the field of information security. The body identified an increasing need to recognize the increasingly important role of CISO experts in the modern digital world.

CCISO program

The CCISO program is one of the first such programs in the world and offers both training and certification opportunities to already practically qualified people globally. The founders of the program were both aspiring CISOs and other renowned sitting CISOs in various capacities in world-leading technology firms. Before certification, candidates must sit an exam that will test their knowledge in the information security realm. The aim of the exam is not just to test the candidate's practical skills in data management and security, but also to test their theoretical knowledge in principles that guide information security principles. Both the theoretical aspects and practical aspects of the exam are important to the qualification of CISO experts. Theoretical knowledge in matters of information security requires theoretical underpinning for a better and holistic outcome.

Other certifications

Besides EC Council, the SysAdmin, Audit, Network, and Security Institute (SANS Institute) has some cybersecurity management courses, such as Leading Cybersecurity Change: Building a Security-Based Culture, Security Leadership Essentials for Managers, and more.

Based on a study by Digital Guardian, 53 of the Fortune 100 CISOs held the Certified Information Systems Security Professional (CISSP) certification from the International Information System Security Certification Consortium (ISC²), and 22 held the Certified Information Security Manager (CISM) certification from ISC². The top five certifications held by Fortune 100 CISOs include the CISSP, CISM, Information Technology Infrastructure Library (ITIL), Certified Information Systems Auditor (CISA) from Information Systems Audit and Control Association (ISACA), and Certified in Risk and Information Systems Control (CRISC) certifications.

While certifications are good to show what you know, keep in mind that they don't necessarily make you a stronger professional. Certifications won't turn a CISO candidate from analyst to a C-suite dweller overnight, but what they can do is offer expertise across the many areas CISOs must have basic knowledge of, if not in-depth expertise.

Summary

In this chapter, we have learned that a CISO is the guardian of an organization, building a cyber strategy, acting as an advisor to the board, and still being a technical executive. A CISO is also known as a CSO and vice president (VP) of security.

The demand for business-centered technical CISOs will continue to grow, as having the right CISO will provide assurance to companies, their strategic business partners, regulators, and customers that their cybersecurity capabilities are robust and fit for purpose. Being a CISO can be rewarding; as data breaches soar, so will a CISO's paychecks.

In the next chapter, we will cover a CISO's operations, end to end.

Further reading

Here are some resources that can be used to gain more knowledge on this subject: