Recently, Raines International Managing Director and Head of Chief Security Officers practice Patrick Gray and SVP and Head of Agribusiness Melissa Oszustowicz hosted a webinar about cybersecurity leadership featuring cybersecurity expert Elad Yoran, executive chairman of Koolspan and CEO of Security Growth Partners.
The average data breach now costs U.S. companies $9 million and takes more than nine months to uncover and contain.
No industry is safe from these increasingly common attacks, yet many companies do not have the right structure in place to prepare, prevent and respond to an attack.
In early October, at least three U.S. grain distributors’ systems had been infected with ransomware, raising concerns that hackers have found an easy target in a vital part of the U.S. food supply chain.
The attacks, in which organized cybercriminals lock up organizations’ computers and demand ransom for a program to unlock them, has slowed the distributors’ operations, hampering their ability to quickly process grain as it came in.
The dangers are real and growing. And according to Yoran, many companies have a long way to go to be safe.
What is a CISO?
Yoran says cybersecurity is not only a safety feature, but it can help businesses grow and protect their customers.
The CISO (chief information security officer) is a senior-level executive responsible for developing and implementing an information security program, which includes procedures and policies designed to protect enterprise communications, systems and assets from both internal and external threats.
The CISO may also work alongside the chief information officer to procure cybersecurity products and services and to manage disaster recovery and business continuity plans.
The CISO may also be referred to as the chief security architect, the security manager, the corporate security officer or the information security manager, depending on the company's structure and existing titles.
Is having a CISO worth the cost?
“There has to be someone who is responsible for these areas,” says Yoran.
He notes that boards of directors should include a security committee or someone to manage and ask the right questions.
“This person doesn’t have to be an IT expert or cybersecurity expert,” he says. “Today there is entire marketplace of choices with all kinds of consultants and advisors. Your company doesn’t have to take on the entire burden internally. Ideally, it should be a combination of inside and outside sources.
“But, it’s imperative to have someone at your company focused on cybersecurity.”
While the CISO doesn’t have to be an expert, he or she does need to understand what questions to ask.
“This person will need managerial and interpersonal skills to manage up, down and laterally,” says Yoran.
“They will need to manage up – to summarize and present the context in businesses terms, such as budgets and priorities,” he explains. “They will need to manage down by coordinating people working on programming and incident response.
“And they will need to manage laterally. Communication is key,” Yoran says. “This person will need to manage all these silos and place them into a holistic organizational perspective. The CISO doesn't control where the risks are. The CISO reports issues, makes priorities.”
Regardless of size, every organization needs to think about cybersecurity. Larger organizations should think about a CISO-level person that is separate from IT and engineering in order to create a checks-and-balances on each other.
“The CISO can report to whomever it makes sense for your organization – the CEO, COO, CFO – but the position should be independent from IT, engineering and development, so the checks-and-balances work,” says Yoran.
Of course, if your organization doesn’t have a C-suite of executives or feel the need to create a CISO-level position, you still need someone watching for data breaches.
“Cybersecurity and data protection is crucial for every business today,” says Yoran. “It’s better to think about how your organization is going to handle a breach before it happens than after the fact.”
Watch the webinar below.
Cybersecurity: How to Prepare for an Attack