29 juni 2020

How do you secure the right CISO - and is this person even available in Denmark?

The term 'CISO'

Regarding titles, this job function goes by many names, and this increases the confusion regarding the CISO role. Below are just some of the titles used:

  • Head of information security / IT security
  • IT Security director
  • Cyber security executive
  • Information security director
  • Chief Security Officer (CSO)
  • Vice President of information security

No wonder that there is confusion on all levels regarding the content, responsibilities, powers, reference as well as requirements and qualifications of a CISO role. Where there were previously very narrow and more technical definitions of a CISO’s responsibilities, the description would be much broader today. Our version of a 2020 definition could be:

A CISO is responsible for establishing, ensuring and maintaining the company’s vision, strategy as well as programmes and systems that ensure that the company’s data and technologies are always adequately protected. A CISO is expected to personally, or with a team, identify, develop, implement and maintain processes across the company’s value chain that reduce risks related to technology.  

The areas of responsibility cover everything from incident response, establishing standards and checks, ensuring the proper management system, preparing and implementing policies and procedures as well as ensuring the required compliance.

Out in real life, we see variants of this role depending on the company’s industry, size, organisational structures and digital maturity. In one place, the CISO might be the only IT security function the company has, which results in extremely technical and operational work. In another company, a CISO might manage a larger team of specialists as well as generalists within operational IT security, GRC (Governance, Risk, Compliance), information security – and in some places even physical security.  

Deloitte described and divided the CISO role into four different characteristics; guardian, technologist, strategist and advisor – which is in some ways a nice illustration of the complexity associated with this role, then and now. According to Deloitte, a CISO would in 2016 in most cases (approx. 77%) draw on the technical aspects of the role, as the guardian or the technologist. Already back then, it was discussed whether the two other roles – the strategist and the advisor – would play a more important role in the future.

The strategist is the person who makes sure that the IT security effort complies with the company’s strategy, and who ensures innovation and long-term change and investment plans in this field.

The advisor is described as the person who, in close collaboration with the company, trains and advises employees, and who constantly influences decisions related to IT security with qualified knowledge of consequences and implications.

At CSA CPH, we have just finished an analysis where we have clarified the organisational consequences of the development in the threat assessment. The analysis is based on an interview with 27 Danish CISOs. The analysis clearly shows that Deloitte’s assumption is correct, and that these days, the strategist and the advisor are needed.  In most companies, digitalisation is the focal point of strategy and business development. Therefore, a CISO is expected to assist with the digitalisation through solutions that do not limit, but rather support the digitalisation. This requires the CISO to cover technical as well as communicative aspects in order to be able to advise the company.

Based on the development we see in the market in 2020, we believe that a fifth role should be added: the leader.

The leader is able to lead, inspire and develop a team of specialists, and to communicate and convey the significance of information security to management and board and thus ensure the proper attention on the board’s agenda. The leader has a fairly good technical foundation combined with good business sense, making him/her able to incorporate information security holistically regarding KPIs as well as reporting.

Which type of CISO is needed?

The type of CISO specifically needed in your company obviously depends on a number of parameters. These parameters relate to industry, complexity, whether the company is part of the six sectors designated as critical infrastructure and thus covered by legislation and regulation, the maturity regarding the level of IT security as well as the general IT landscape, the specific threat assessment, the significance of digitalisation to the company, and much more.

As is the case with all recruiting, the level of success depends on how good you are at defining (and thus delimiting) the role and understanding the journey the candidate must take with the company. It is relevant to ask how good you are at describing ”AS IS” and “TO BE”. This is a challenging – and almost impossible – task, considering that the threat assessment changes constantly and is also defined by factors on which you have no influence. Not many companies have a proper comprehension of “AS IS”.

For most, it is extremely difficult to describe the current IT security setup, particularly in a situation where they have not previously had a CISO or have had one who did not have a good comprehensive view of the situation, which is the case much too often in small and medium-sized companies. Consequently, they do not have a full and realistic overview of the situation. 

Recommendations

Interim CISO: Regardless of the size of the company, we have had good experiences with hiring an interim CISO during the employment phase (3-6 months), who helps define the role and ensure the right qualifications in the future CISO. There are many extremely qualified CISOs at all levels who for a period of time choose interim employment. These are persons who would normally be overqualified for the role, but who have the necessary comprehensive view and interest in maturing the company in this field. 

Expert assistance for the professional assessment: You have to be 100% certain that the candidate has adequate professional qualifications regarding technology, organisational impact and possibly management. IT security is a broad field with many subject areas to which it might be difficult to relate. You may want to seek external assistance for the professional assessment. If your company is affiliated with a technical consultancy, they would probably be happy to assist you in evaluating technical skills. Furthermore, there are a few specialised head-hunters, who can provide a second opinion of the candidates regarding technical level, managerial skills and impact.

The board of directors should be involved in the hiring: Unfortunately, the CISO role has become somewhat of a job hopping position. A reason for this is, among other things, the lack of support from top management and board. In recent years, IT security has been described as one of the very pivotal themes on the agenda of top managements and boards – and thus, this should also be reflected in the hiring process. Involvement in the process should contribute to the board feeling comfortable with the recruitment, to the new CISO and the board speaking the same language, and to giving the candidate an impression of whether the necessary attention on this area exists.

Set the bar high, maybe look abroad: Do not compromise. If there are not enough qualified candidates nationally, look internationally. Denmark is an attractive country in many ways, with good possibilities of attracting experienced candidates from other countries. Candidates that have experience from large and complex companies, and who have ”grown up” in a more sceptical and defence-based culture – compared to what has historically been the case in Denmark.

Which role is needed: It is most important to assess where the company is with regard to maturity in relation to IT security. This is of vital importance regarding which combination of the four roles the company needs. During our analysis, it became clear that the majority of Danish companies can be divided into four categories, each with their own focus.

  1. Companies without a current IT security function. IT security is handled by the CIO/IT manager, who pays for external consultants
  2. Companies subject to critical infrastructure rules
  3. Major global manufacturing companies
  4. Companies with a digital agenda

Ad1. Companies without a current IT security function. Our recommendation would be an interim CISO. The most important task would be to review the technological platform and implement the necessary systems, and to establish processes and subsequent checks, as well as to work on the change process in the organisation, and the behaviour required to reach a higher standard.

Ad2. Companies subject to critical infrastructure rules. This group is characterised by being subject to legislation and regulations, and have therefore started the required journey, and have a clear view of where they are going. There is focus on the area being established, there are demands from management and board, and there may be political attention, which means that the strategist and leader roles are in focus. Technological qualifications are/must be present, but the importance of the area means that there must be more technologically skilled persons in the team.

Ad3. Major global manufacturing companies. This group is often challenged by expensive and old production systems, and by working internationally and being subject to compliance requirements from major global clients. Security is on the agenda of management, and they have a clear comprehension of the consequences of potential breakdowns. The IT security function often involves a headcount of 5-6 employees. The technical aspects of IT security are often either outsourced or placed in operations. The challenge for the CISO is to a great extent to involve and include the entire company, which means that IT security is considered in R&D, production, sales etc. Thus, the advisor and guardian roles become essential – closely followed by the leader role.

Ad4. Companies with a digital agenda. This group might have hired or replaced their CISO recently, as they have found out that they need a CISO who can advise and ping back and forth with management on security in relation to their business development. Things are moving quickly, and they need a visionary.

What is the market like for CISOs in Denmark?

Companies who have not previously had a CISO
In this segment, there are many qualified potential candidates – particularly candidates who have worked in management consultancies for a number of years. Often, there is a widespread desire among these candidates to try their hand at a CISO role after a couple of years as consultants.

Small and medium-sized companies
A major challenge in this segment is the significant turnover that has existed among CISOs with a few years of experience. We are starting to have a good base of experienced CISOs in this segment who have grown from being technical to acting as advisers and strategists, and who have the necessary business sense.  Unfortunately, the CISO role has become a job hopping position. It is our assessment that CISOs only last 18 months in the job on average, and that the situation in Denmark currently matches this figure, combined with the fact that most CISOs have changed jobs within the last 12 months.

Larger companies
In this segment, there is a limited selection of candidates. We have a structural challenge in Denmark in that our business community is primarily based on the segment of small and medium-sized companies. This means that we only have a small handful of CISOs who have gained experience from larger complex companies with a high level of maturity in information security and cybersecurity. It is primarily in the financial sector that we find the really heavy candidates with major experience. 

Closing facts

  • 21% of Danish companies have hired a CISO in the last year.
  • On average, a CISO stays in the position for 18 months.
  • In a LinkedIn search for CISOs in Denmark, you will find approx. 274 profiles, of which 23 are women. 
  • We have 168 CISO candidates in our database – of which 38 candidates have experience from interim CISO roles.
  • Wage level: In the last 2 years, this has increased by 18% to a level from DKK 85,000 to 150,000 /month + pension.