
Blog Post
January 4, 2023 | From the experts
By Field Effect
There’s a lot of confusion around the Chief Information Security Officer (CISO) role. It’s a newer position—at least in comparison to other members of the c-suite—and a notoriously hard spot to fill for many reasons.
In this blog, real-world CISOs shed light on their role, discussing their challenges, skills, certifications, and how businesses can access cyber security leadership even without a CISO of their own.
Chief Information Security Officers (CISOs) spearhead cyber and information security for a business. As valued members of the c-suite, they take on an extensive list of strategic and operational responsibilities, often including:
Not long ago, infosec primarily involved installing an antivirus, recommending that employees follow cyber security best practices, and backing up critical data.
However, workplaces digitalized fast and drastically heightened the risk of a cyber attack. This, coupled with new pressure from government and regulatory bodies to prioritize cyber security, created a need for a dedicated information security department and leader.
Full-time CISOs can be hard to find, especially for small and mid-size businesses (SMBs) that lack the budget, benefits, or perks needed to attract a qualified candidate. There’s been a growth in virtual CISO (vCISO) services recently, giving businesses access to on-demand infosec consultants who can fill the shoes of an in-house cyber security leader.
We hosted a cyber security leaders roundtable where the three industry experts shared their insights, experiences, and security advice. Andrew Loschmann (Field Effect’s Co-Founder and COO), Nic Miller (Independent Cyber Security Expert and Virtual CISO), and Karl Larson (Security Director and CISO at TELUS) offered their thoughts on things like:
Their answers are slightly edited for length and clarity, but here are some key takeaways from the virtual event.
Karl Larson:
We all struggle with information overload. It's hard to organize and prioritize the firehose of information—not only external information from intelligence feeds and news sources, but also internal problems, concerns, or tasks.
Humans are not able to multitask well. Structuring how you process information, prioritize things, and stay on top of key elements is critical for your success.
One of my mentors said, “look back from quarter to quarter at what you've done successfully and do more of those things. Be sure to cover yourself in the areas that will really affect your business. Those other things that won't keep you up at night? Leave them behind or at least wait until they bubble up to the front.”
Nic Miller:
Information overload comes from vendors a lot of the time. They may say I'm not doing my job properly because I'm not buying a certain cyber security product or subscribing to a service. You need to be confident that you've protected the right things, otherwise, you’re living in perpetual fear that you're missing something."
Andrew Loschmann:
Cyber security leaders are trying to do everything for everybody, but the major thing that will help is to have a strategy for organizing your issues. Instead of solving all the problems, what are you trying to accomplish?
In engineering, there are "first principles,” meaning you can deconstruct any problem if you understand the basic building blocks. The same concept applies to cyber security.
Working with big frameworks, such as the National Institute of Standards and Technology (NIST) or the International Organization for Standardization (ISO) standards, helps you organize and effectively prioritize what you're doing.
You can identify what is important to you now and what might be important later but isn’t worth focusing on yet. You can cut out a lot of the noise that makes you feel that information overload.
It will also help you structure your workforce so that your team is not left feeling like they have a million things to do. We know there are certain things you can do that will disproportionately benefit the organization, and those should get priority.
Nic Miller:
If a user receives a malicious email or admits to opening a suspicious file, but we don't have internal or external cyber security resources, we need to know how to respond effectively. There are real benefits to knowing how to respond quickly to incidents and resolving them before too much damage is done.
The earlier you act, the less complex the incident. Typically, in these instances, if the attacker gains access to a network and gets privileged access, your incident response just became 1000x harder. If you can get the incident retained before that point, that's key.
Karl Larson:
I don't have a cyber security background. I was an English major, went into IT, then audit, and now cyber security. This is my jam, not my upbringing.
Certifications get you in the door or past the recruiter often. If the job description asks for a CEH (Certified Ethical Hacker), and you don't have that certification, you may get discarded.
There's a term called Vitamin B, which is all about relationships. Nurturing a relationship or meeting someone in the industry can help [you get a foot in the door]. We all need to work with our network. That network might be career fairs or a family member. There are opportunities for those interested in cyber security, even without certifications.
Sometimes, an easier path to gaining that initial experience may come from working in small or mid-sized businesses. Their expectations may be more realistic and have less of a need for certifications.
Andrew Loschmann:
The first thing is to find trusted help. There are outstanding professionals like vCISOs who can advise start-ups on their priorities, for example.
[Getting a handle on cyber security] doesn’t have to be expensive, but you must invest something: time, process, energy.
Another thing you can do is look at some of the leading government regulations in your country. The Baseline Controls for Cyber Security in Canada is a great guide for small organizations.
Also, connect with cyber security providers or other people you trust. Your accountants or lawyers might have recommendations for firms that deal with this.
Nic Miller:
The biggest mistake by far is overconfidence that you know everything. I've worked in this field for 12 years, and there’s a huge amount I do not know. I would never consider myself an expert. I understand I know a little bit about many topics rather than being a specialist in one area.
But I speak to companies that say, “I'm not worried about this because I’m not a target,” or they're wildly more exposed to risk than they realize. From their perspective, they have this thing cracked. That thinking is unfortunately more common across organizations than I'd like.
Andrew Loschmann:
Don't overestimate what your audience knows. There's a lot of talking past people in this industry. Sometimes it's innocent, other times it's an attempt to show you know something they don't.
It is a real problem in cyber security because the field is so new and rapidly changing that many people struggle to keep up. If you want maximum impact, ensure your audience understands you when you communicate.
What about businesses that don't necessarily need a permanent, full-time CISO?
Field Effect offers a vCISO Service staffed by cyber security leaders with years of hands-on experience defending some of the most critical, complex, and fast-paced security environments in the world.
Whether you need an experienced leader to set goals, develop robust cyber security programs, support IT, assess cyber risk, manage and guide your infosec team, align with security frameworks, or ensure compliance with a lengthy list of regulations—Field Effect’s vCISOs can get started today.
Curious to learn whether a vCISO might be right for your business? Check out the vCISO brochure or schedule a brief consultation with one of our experts.