The chief information security officer: The new CFO of information security

June 4, 2018|Steve Hyde

The chief information security officer is responsible for overseeing the company’s enterprise and security architecture and needs an in-depth understanding of legal and regulatory requirements, risk management, security audits and data structures.

It seems like every week there’s another high-profile data breach making headlines. Chief financial officers can rely on internal controls to provide a level of accuracy and integrity necessary to prepare and attest to financial statements, but with every incoming email or jump drive a possible threat, it seems like an impossible task to keep a company’s sensitive information secure. But the CFO isn’t fighting this war alone…the constant threats have given rise to a new role: the chief information security officer, or CISO.

The CISO role isn’t necessarily new, but it is getting more and more attention, propelling the importance of the position to the same levels as chief information officer and CFO. Years ago, the role was mainly just another hat worn by the CIO. Due to technology advancement and financial regulations, the background needed as a CISO is changing. While enterprise and security architecture plays a large part, the CISO also needs to understand legal and regulatory requirements, risk management, security audits and data structures.

As the CISO role expands, it’s becoming a harder and harder role to successfully fill. There are many responsibilities to which the CISO needs to tend. First and foremost, the CISO needs to understand the many types of data used by the company. Is there personally identifiable information? Customer credit cards? Sensitive health information? Critical intellectual property that the company needs to safeguard? Knowing that the data exists, where it resides and how it is protected is just the start.

A CISO must work hand in hand with the CIO to ensure that sensitive data is protected by the technical infrastructure. In some cases, it even means protecting users from themselves. How? Many companies are implementing email systems that automatically scan outgoing messages for sensitive data such as Social Security numbers or credit card information, forcing the message to be encrypted. A company may lock down USB drives to prevent information from being transferred to a jump drive.

Smartphone proliferation has required the use of mobile device management systems to enable companies to wipe their information off an employee’s phone if necessary. Print management systems can identify who is printing sensitive information and automatically mask certain fields. Securing electronic data is hard enough—trying to secure information that’s been printed is impossible. These are just some of the tools being utilized to ensure that sensitive information remains securely within the walls of the company.

Knowing what sensitive information exists and where it resides is useless if the wrong people have access. The CISO needs to ensure that procedures exist to verify a new user’s access and terminate access as soon as an employee leaves the company. For many companies, this is a manual process, so it’s important to verify employee access on an annual basis at a minimum to make sure no one has “fallen through the cracks.” Physical security, password policies and patch management all play a major factor in keeping your information safe.

The CISO also plays the role of teacher within the company. We recommend that the CISO reviews company policies with the human resources department, especially when it comes to standard computer usage and information security best practices. And this education isn’t just for new employees. A CISO may hold mandatory educational classes for all employees to remind them of the security threats they face on a daily basis. As new threats arise, it may also require the CISO to send an email to the entire company warning them of a zero-day threat exploiting a system vulnerability.

The role of CISO is a continuously evolving role, and the CISO needs to continually refresh skills based on new and emerging threats. Many CISOs have turned to continuous learning certifications to keep up. There are numerous security certifications, with the following being the most popular and relevant to the role:

  • Offensive Security Certified Professional (OSCP)
  • Certified Information Security Manager (CISM)
  • Certified Information System Security Professional (CISSP)
  • ISACA Certification in the Governance of Enterprise IT (CGEIT)

These certifications can add indispensable skills for a technology or audit professional, but they can also take a long time to study for and complete on top of an already full workload.

Being the chief information security officer is no easy task. It takes a varied skill set and continuous learning while (maybe worst of all) most employees think you’re making their job harder with the policies and procedures you put in place. Maybe you can just be satisfied knowing that the data breach you helped prevent is the reason there’s still a company to protect.

For more information, please contact Steve Hyde at 800-236-2246.

Adapted from an article that originally ran in WICPA’s March/April 2018 issue of On Balance magazine.


Steve Hyde, MS, MBA, chief information officer and director-information technology services, has 20+ years of technology-related business experience including IT strategy, hardware/software assessment and implementation, metrics/dashboard creation, and information security and controls.



Tags: Technology