Information Systems Security Manager (ISSM): more than just a job, it's a mission!

The keystone of IT security, the CISO ensures the management and implementation of the security policy of an organization's information systems. To this end, it relies on regulations, best practices and international standards. Beyond his technical expertise, this manager combines organizational and functional know-how. Guillaume*, expert at Cyberwings, a firm specializing in cybersecurity, reveals the workings to us.

Information Systems Security Manager (ISSM), IT Security Manager, Chief Information Security Officer (CISO), Cybersecurity Director... these are just some of the names given to the person responsible for implementing an organisation's cybersecurity strategy. The large number of job vacancies available for this role bears witness to this variety of designations. The CISO is therefore a highly sought-after position. And yet, despite being a key contributor to the confidence, resilience and performance of the information system, few organisations have a CISO.

Doing without a CISO is sometimes imposed by the size of the company. This is the case for micro-enterprises and SMEs. And sometimes it's a choice. Some organizations have therefore decided not to devote a full-time equivalent to this function, forcing the IT department, financial or quality management to wear this additional role.

What are the missions of the CISO? What skills are required? At a time when the governance and resilience of organizations are proving to be major challenges tinged with sovereignty, social responsibility and sobriety, how does the CISO set the course for cybersecurity and hold the rudder?

The CISO's #1 mission: governing an organization's cybersecurity

While it is sometimes complex to decide to whom the CISO function is – or will be – assigned, it is easier to define their missions. Indeed, the main mission of a CISO is to govern – like a captain on a ship – the cybersecurity of an organization in its strategic and operational aspects.

Setting a course

Governing consists first of all of help management set a course. The latter is defined in the Information Systems Security Policy (PSSI). It must be consistent with the strategic ambitions of the organization (development, certification project, desire to address new markets) and results from the risk analysis carried out at the highest level of the latter.

The cyber threat is undeniably present today under different forms. Any structuring project must necessarily integrate the cybersecurity best practices to succeed. The course can also be conditioned or influenced by third party players, customers or partners with increasing requirements, insurers, public authorities, etc. through controls, audits or by regulations. Finally, it may consist of “catching up with the accumulated delay” and reducing the gap between what exists and good practices in terms of information security. This gap is most often observed following incidents suffered internally or following audits and tests initiated.

Define a roadmap

La formalization of a roadmap broken down into operational projects must then allow the SSI team to progress towards the set objective. To implement these projects, the CISO must be able to mobilize technical, organizational and human resources.

Raise awareness, mobilize and support

It must mobilize all of the organization's staff to implement good practices and security measures. This happens through sensitization and support for change. But the CISO must also rely on dedicated resources, internal or external: SSI team, ecosystems, partners and trusted service providers.

Master various disciplines

Mobilizing, bringing together and coordinating these resources requires the CISO to understand the legal, technological and managerial issues of each of the cyber projects making up the roadmap. He must also know how to referee by relying on a regularly updated state of the offensive and defensive art, as well as on a substantial body of documentation.

The ideal CISO… a five-legged sheep?

At the same time digital lawyer, ethical hacker, developer, strategist, psychologist, accountant… the ideal CISO often appears as a “five-legged sheep”.

Rare and multiple skills…

Among his multiple talents, he must be able to manage the conduct of an intrusion test on the network infrastructure, analyze the impact on sensitive data processing, and draft a security clause in a service contract. , to integrate security into application developments, to run awareness campaigns and training sessions, then to integrate the results into the strategic risk analysis and the organization's roadmap...

This know-how requires extensive experience and a range of varied skills that very few candidates for the position have. No wonder recruiters struggle to find such talent!

… well paid

With an exceptional profile, exceptional remuneration: if we refer to the survey carried out by ANSSI in 2021 among CISOs, 67 % respondents have an annual gross remuneration of between 55,000 and 100,000 euros. They hold at least a baccalaureate +5 and 93 % are managers or senior managers, according to ANSSI. In addition to these high levels of remuneration, there is a range of social benefits strongly requested by candidates: flexible hours, teleworking, part-time, etc.

A demanding job

Attractive but difficult, the CISO position is subject to strong competitiveness, with significant turnover. Over the last two years, 51 % CISOs say they have been approached between 10 and 30 times by recruiters!

Maintaining a consistent cyber strategy over the long term as pilots come and go can be very complex for an organization. In the event of absence, leave, illness or unavailability of the CISO, the ship risks drifting. It is therefore essential to provide a resilient SSI organization and governance system, based on a responsible team present on a daily basis.

Small or large structure, two types of RSSI

In micro-enterprises and SMEs

If 79 % CISOs work in structures with more than 250 employees, small organizations have no less need to structure and manage their cyber protection strategy. This may be the case when these small structures are part of an exposed ecosystem or when they hold particularly innovative know-how and intellectual heritage. The role of CISO is then often carried out by the company's IT manager.

However, the resources available and allocated to cybersecurity in small organizations are rarely up to the information protection challenges they face. Indeed, production, trades, commercial development and IT generally take up most of the existing financial and human resources. These limited resources naturally lead the CISO to make decisions between projects and to get involved in both strategic and operational matters.

Thus, it is not uncommon to see a CISO structure the specifications for a future consultation in the morning, write an awareness email in the afternoon and take care of user tickets and security events throughout. throughout the day, even in the evening.

These multiple hats often result in the feeling of not taking sufficient account of future issues, requiring anticipation and strategic vision, and of finding oneself with one's "nose to the wheel" to ensure monitoring of daily affairs.

In mid-sized companies and large companies

In large structures, being a CISO is not easy either. If the resources available are greater and the CISO leads a real security team, he will be repeatedly confronted with organizational and positioning issues.

The first difficulty consists of being able to insert oneself into the strategic decision-making process and to make general management understand the importance of cyber risks and their impacts (legal, financial, operational, reputational, etc.) on the organization.

However, the CISO must also know how to detach himself from the technical vision of risk in order to explain to management the consequences of these cyber risks. Once this first crusade has been completed, the CISO will have the heavy task of quantifying the cyber risks based on the severity of the estimated impacts and the likelihood of their occurrence in order to define the appropriate budget envelope to reduce the risks to a level acceptable. This budget will have to be justified, optimized, defended in front of a financial management tending to consider this item as a cost rather than an investment.

The CISO, project manager who must know how to manage stress

At the opposite end of the organizational chain, the CISO is also faced with management and coordination issues for the various projects carried out simultaneously. Breaking large projects into interdependent tasks and distributing the associated resources (human, time, financial), while ensuring real monitoring and analysis of performance indicators, can prove to be a real headache. This is all the more true since a plurality of actors (internal security team, developers, business lines, external experts, consultants, etc.) are likely to intervene simultaneously on complex projects, transforming the CISO into a real conductor, struggling to maintain general harmony and not deviate from his score.

All of these responsibilities, reinforced by the fact of being designated, legally or symbolically, as the culprit in the event of incidents, make the role of CISO complex to assume from a human point of view and create an anxiety-provoking climate conducive to development of psychosocial risks (burn-out, inability to disconnect, etc.). In fact, three quarters of respondents to the ANSSI survey consider their work stressful, or even very stressful.

Outsource the CISO function to lighten the workload

Finally, the scarcity of profiles available on the job market, combined with the constraints associated with this function, makes the recruitment of a CISO complex. Not to mention that it will be difficult to maintain such a profile within the organization.

Recruiting a CISO to act as a cybersecurity superhero therefore represents a real investment. This also implies for the company to place all cyber responsibilities in the hands of the same individual, who will have no room for error.

Faced with these difficulties, total or partial outsourcing of the CISO function is a solution to consider. Indeed, relying on firms and teams of external experts capable of piloting, co-piloting the cyber strategy or even contributing to the strengthening of the CISO in place is a way of limiting the risks and weaknesses previously mentioned, while optimizing resources. already allocated. The choice of a “mixed team” is, from an expert point of view, the optimal configuration to meet the arduous mission of CISO.

Training, essential to hold the bar

Complex, the CISO function requires real training on technical and managerial aspects. Thanks to it, the future CISO will be able, on the one hand, to better understand the security concepts that he will have to implement on a daily basis, and on the other hand, to coordinate and mobilize as best as possible all of the ISS stakeholders that he will coast.