Can the IT manager and CISO role be combined?
Not ideally. Jüri Voronov explains that information security management differs significantly from traditional IT and risk management roles. IT managers primarily focus on the efficiency and continuity of their work, while information security managers must ensure that all organizational leaders act within their expertise and do not jeopardize information security processes and regulations.
The role of an information security manager is to identify risks, bring them to the attention of the executive team, and create a plan to mitigate these risks while supporting the company’s business strategy. The primary goal is to unite various stakeholders to protect the company’s information and ensure its security. When roles overlap (such as an IT manager also serving as a CISO), the results may not always be as reliable due to a lack of role separation.
Should all companies have an information security manager?
It depends on the kind of information a company wants to protect. Smaller companies may find it easier to outsource information security management, but this decision primarily requires awareness from the company’s leadership and an understanding of the value of the company’s data as a significant asset. The most challenging task for a CISO is to explain to the executive team the significant investments and changes required to enhance the security level. In practice, action is often not taken until an incident has already occurred.
Speaking of unpleasant scenarios for a CISO, one of the worst-case scenarios mentioned was a “ransomware attack resulting in the loss of backups and the inability to recover data.” Such potentially very costly situations can only be prevented through conscious and consistent action.
The many faces of the CISO role
The role of an information security manager is highly multifaceted and requires a deep understanding of both technical and strategic aspects. Jüri Voronov adds some additional facts about the CISO role:
- Strategic Management: The CISO is responsible for developing an information security strategy that aligns with the company’s overall business strategy. This involves assessing risks and setting priorities to ensure information security strength and compliance with regulations.
- Technical Level: While the CISO does not need to be solely a technical expert, it is essential for them to have a deep understanding of technologies and risks. This allows effective communication with technical teams and an understanding of complex security risks.
- Crisis Management: The CISO must be prepared to lead in emergencies and respond swiftly to security incidents. This includes creating plans for handling attacks and data breaches.
- Communication Skills: The CISO must be able to explain complex information security concepts to non-technical leaders and other stakeholders. Communication skills are crucial in persuading the executive team to make necessary investments.
Podcast in estonian: KüberCAST 22 | CISO positsioon ettevõttes
