As the cornerstone of IT security, the CISO oversees and implements an organisation's information systems security policy. To this end, he or she relies on regulations, best practice and international standards. In addition to their technical expertise, these managers combine organisational and functional know-how. Guillaume*, an expert at Cyberwings, a firm specialising in cybersecurity, takes us through the nuts and bolts.
Information Systems Security Manager (ISSM), IT Security Manager, Chief Information Security Officer (CISO), Cybersecurity Director... these are just some of the names given to the person responsible for implementing an organisation's cybersecurity strategy. The large number of job vacancies available for this role bears witness to this variety of designations. The CISO is therefore a highly sought-after position. And yet, despite being a key contributor to the confidence, resilience and performance of the information system, few organisations have a CISO.
Doing without a CISO is sometimes dictated by the size of the company. This is the case for micro-businesses and SMEs. And sometimes it's a matter of choice. Some organisations have decided not to devote a full-time equivalent to this function, forcing the IT, finance or quality departments to wear this extra hat.
What are the CISO's tasks? What skills are required? At a time when governance and the resilience of organisations are proving to be major challenges tinged with sovereignty, social responsibility and sobriety, how does the CISO set the course for cybersecurity and steer the ship?
Mission No. 1 for CISOs: to govern an organisation's cyber security
While it is sometimes complex to decide who is - or will be - given the role of CISO, it is easier to define its missions. The main task of a CISO is to steer - like a captain on a ship - the strategic and operational aspects of an organisation's cyber security.
Setting a course
To govern is first and foremost to help management set a course. This is defined in the Information Systems Security Policy (PSSI). It must be consistent with the organisation's strategic ambitions (development, certification project, desire to address new markets) and stem from the risk analysis carried out at the highest level of the organisation.
The cyber threat is undeniably present today in various forms. Any structuring project must necessarily integrate the good cyber security practices to succeed. The course may also be conditioned or influenced by third parties, customers or partners with increasingly demanding requirements, insurers, public authorities, etc. through controls, audits or regulations. Finally, it may consist of "catching up" and reducing the gap between what already exists and best practice in information security. This gap is most often identified following incidents suffered internally or following audits and tests.
Defining a roadmap
La formalisation of a roadmap broken down into operational projects must then enable the ISS team to progress towards the set objective. To implement these projects, the CISO must be able to mobilise technical, organisational and human resources.
Raise awareness, mobilize and support
It must involve all the organisation's staff in implementing good practice and safety measures. This involves sensitization and change management. But the CISO must also rely on dedicated resources, both internal and external: the IS team, ecosystems, partners and trusted service providers.
Mastering various disciplines
Mobilising, bringing together and coordinating these resources requires the CISO to understand the legal, technological and managerial issues involved in each of the cyber projects that make up the roadmap. He or she also needs to be able to arbitrate on the basis of a regularly updated state of the art in terms of both offence and defence, as well as a substantial body of documentation.
The ideal CISO... a sheep with five legs?
Digital lawyer, ethical hacker, developer, strategist, psychologist, accountant... the ideal CISO is often seen as a "five-legged sheep".
Rare and multiple skills...
Among their many talents, they must be capable of managing an intrusion test on the network infrastructure, analysing the impact on sensitive data processing, drafting a security clause in a service contract, integrating security into application development, running awareness campaigns and training sessions, then incorporating the results into the analysis of strategic risks and the organisation's roadmap, etc.
These skills require a great deal of experience and a wide range of competencies that very few candidates for the job have. It's hardly surprising that recruiters are struggling to find such talent!
... well paid
Exceptional profiles call for exceptional remuneration: if we refer to the survey carried out by theANSSI in 2021 among CISOs, 67 % of respondents have a gross annual salary of between €55,000 and €100,000. They have at least 5 years' higher education and 93 % are managers or senior managers, according to ANSSI. In addition to these high salary levels, candidates are also looking for a range of social benefits: flexible working hours, teleworking, part-time work, etc.
A demanding job
Attractive but difficult, the job of CISO is highly competitive, with high staff turnover. Over the last two years, 51% of CISOs say they have been approached between 10 and 30 times by recruiters!
Maintaining a coherent e-strategy over the long term with a succession of pilots can be very complex for an organisation. If the CISO is absent, on leave, ill or unavailable, there is a risk of the ship going adrift. It is therefore essential to provide a resilient organisation and system of ISS governance, supported by a team that is responsible and present on a day-to-day basis.
Small or large structure, two types of RSSI
In micro-enterprises and SMEs
Although 79 % of CISOs work in organisations with more than 250 employees, small organisations still need to structure and manage their cyber protection strategy. This may be the case when these small organisations are part of an exposed ecosystem, or when they possess particularly innovative know-how and intellectual assets. In such cases, the role of CISO is often taken on by the company's IT manager.
However, the resources available and allocated to cyber security in small organisations are rarely equal to the information protection challenges they face. Production, the business lines, business development and IT generally take up most of the existing financial and human resources. These limited resources naturally lead CISOs to make trade-offs between different areas and to become involved in both strategic and operational matters.
For example, it is not uncommon to see a CISO structuring the specifications for a future consultation in the morning, drafting an awareness-raising e-mail in the afternoon and dealing with user tickets and security events throughout the day, and even into the evening.
These multiple roles often result in a feeling of not taking sufficient account of the issues of the future, which require anticipation and strategic vision, and of finding oneself with one's 'nose to the grindstone', keeping up with day-to-day business.
In mid-sized companies and large companies
In large organisations, being a CISO is no picnic either. If the resources available are greater and the CISO manages a real security team, he or she will be faced with recurring organisational and positioning issues.
The first challenge is to get involved in the strategic decision-making process and make senior management understand the importance of cyber-risks and their impact (legal, financial, operational, reputational, etc.) on the organisation.
However, the CISO must also be able to detach himself from the technical view of the risk in order to explain to management the consequences of these cyber-risks. Once this first crusade has been completed, the CISO will have the onerous task of quantifying the cyber-risks in terms of the severity of the estimated impacts and the likelihood of their occurrence, in order to define the appropriate budget envelope to reduce the risks to an acceptable level. This budget will have to be justified, optimised and defended in front of a finance department that tends to view this item as a cost rather than an investment.
CISOs, project managers who need to know how to manage stress
At the opposite end of the organisational chain, the CISO is also faced with the problem of managing and coordinating the various projects being carried out at the same time. Breaking down major projects into interdependent tasks and distributing the associated resources (human, time, financial), while ensuring proper monitoring and analysis of performance indicators, can be a real headache. This is all the more true when a large number of players (in-house security team, developers, business lines, external experts, consultants, etc.) are likely to be involved simultaneously in complex projects, turning the CISO into a veritable conductor, struggling to maintain overall harmony and not deviate from his or her score.
All these responsibilities, reinforced by the fact of being designated, legally or symbolically, as at fault in the event of an incident, make the job of CISO a complex one from a human point of view and create an anxiety-inducing climate conducive to the development of psychosocial risks (burn-out, inability to disconnect, etc.). Indeed, three quarters of respondents to the ANSSI survey consider their work to be stressful, or even very stressful.
Outsource the CISO function to lighten the workload
Finally, the scarcity of profiles available on the job market, combined with the constraints associated with this role, makes recruiting a CISO a complex process. Not to mention the fact that it will be difficult to keep such a profile within the organisation.
Recruiting a CISO to act as a cybersecurity superhero therefore represents a real investment. For the company, it also means putting all cyber responsibilities in the hands of a single individual, who will have no room for error.
Faced with these difficulties, outsourcing all or part of the CISO function is a solution worth considering. Relying on external firms and teams of experts to steer or co-steer the cyber-strategy, or to contribute to the development of the CISO in place, is a way of limiting the risks and weaknesses mentioned above, while optimising the resources already allocated. The choice of a "mixed team" is, from an expert point of view, the optimum configuration for taking on the arduous mission of CISO.
Training, essential to hold the bar
The complex role of CISO requires genuine training in both technical and managerial aspects. This will enable future CISOs to gain a better understanding of the security concepts they will have to implement on a day-to-day basis, and to coordinate and mobilise all the IS players they will be working with as effectively as possible.
Our best training
- Information Systems Security, summary
- Network/Internet cybersecurity, summary
- Systems and network security, level 2