Understanding CISO Roles and Responsibilities

Nuria Lago García, CISO in NH Hotel Group

What is a CISO?

This question has been asked many times however, all the answers are different, all valid and noneincorrect. A Security Manager or CISO is a key player in an organization, a person who assesses risks before they occur, someone who is not pleasant to listen to, but whom everyone remembers when there is a problem. She or he is the Mr Wolf(1) of security.

It is mistakenly thought that the CISO is a person who lives away from a keyboard except to handle documents, spreadsheets and nice presentations with many graphics but without technical content, managerial positions with indicators (KPI) and graphs in hand without contact with the teams of information technology. A person who can even give the impression of being the Sheriff and is able to break all the rules if he wants to, be a lone "wolf" in his work and have no friends in the organization.

The role of the security manager of an organization is based on trust in his team. The CISO of a company must be a close person, but above all, they must surround themselves with a good team that provide them with mirrors and shadows. Mirrors where they can see reality reflected as it is, without pretty and sweetened words, without vanities or deceits. Shadows that will never leave him and that will always be there, no matter what. And this is where the importance of trust is seen. We are talking about a strong, firm network that supports the full weight of security in an increasingly vulnerable and exposed world: a multidisciplinary team that has experts on both sides: offensive team and defensive team. Two opposing sides but completely necessary and complementary for the thing to work.

And how to make it work?

The theory says that a CISO must have a horizontal vision of the organization. He must be able to understand the needs of the business and transfer them to the different technology departments in an understandable way, understand the global risk and know how to detail it in each of the scenarios in which this objective has a place, be thorough, and analytical.

However, my experience tells me that the role of the CISO has to be a person ideally with a good base of technical knowledge that allows them to understand the technologies and controls implemented in the organization. CISOs need to collaborate closely with CIOs.

He must have a multidisciplinary profile, a technical base that makes him capable of understanding what happens in "the boilers of the ship" and assess the possible risks of the existing architecture, of the proposed changes or the new developments to be carried out.

“CISO must be able to keep his nerves at bay, have a cool mind, be analytical and take the right decisions at the right time”

Clearly, he must have a top-down / bottom-up vertical vision capable of understanding what is happening at a low level and be able to convey the situation to those above in an understandable language, but he must also be able to roll up his sleeves when things go wrong or get complicated, and to go down into the mud, if necessary, if some catastrophe occurs.

And if the catastrophe comes... Then what?

It is in that moment, when all eyes are focused on the CISO, he stops being an unnoticed or forgotten person to become the key piece for everything to work. Many times, crisis situations put the involved people to the limit and that is when the CISO is truly valued. He must be able to keep his nerves at bay, have a cool mind, be analytical and take the right decisions at the right time. It is a key person to coordinate all the experts involved and must be able to solve the situationin the best possible way.

The stress is extreme when you stand on top of a tower built by sticks and from above, you see some children playing with matches (zero days).

But then... What does the CISO do?

A bit of everything: hemust establish limits within the company, security controls and warn about the risks. Raising awareness of security must be one of histop priorities since, after all, security depends on everyone and in terms of security, we all have an important role.

CISOs must make decisions, although these were not always pleasant: must be able to make people understand the risks and convince them of the importance of security, even if sometimes that means awkward conversations, small fights or endless meetings.

He must be able to understand and identify the applicable regulatory needs in each case, and in each country in the case of being a global CISO and implement the necessary security controls in each and every one of the applicable scenarios. He must find a balance between the allocated budget and fight to demand higher budgets for cybersecurity. His role must be integrated into the company's business plan, providing security and confidence inorder to carry out all the expectations of growth and commitment of the organization.

The role of the CISO has a completely different role than it may seem from the outside. It is a complicated figure, sometimes misunderstood, pointed out and perhaps even hated in other scenarios. However, truly, for me, it is a vocational job.

Weekly Brief

Read Also

Encryption - your superpower or your kryptonite

Encryption - your superpower or your kryptonite

Nimesh Mehta, Senior Vice President & Chief Information Officer
Cyber Security Training: Messaging to the right audience matters

Cyber Security Training: Messaging to the right audience matters

Alex J Attumalil, VP, Global Chief Information Security Officer, Under Armour
How to Minimize the Impact of Cyber Attacks on Businesses?

How to Minimize the Impact of Cyber Attacks on Businesses?

Mark Alvarado, Director of Cyber Security & IT Compliance, Academy Sports + Outdoors
Communication Flows: The Key to Enterprise Cybersecurity

Communication Flows: The Key to Enterprise Cybersecurity

Thomas Titus, Director Information Security, Everest Reinsurance
How Local Governments in Rural America are Combatting Cybersecurity

How Local Governments in Rural America are Combatting Cybersecurity

Shane McDaniel, Director of Information Technology at City of Seguin
Building a Cyber Security PMO-why is it important for Cyber departments

Building a Cyber Security PMO-why is it important for Cyber...

Ravi Narsipur, Director Cyber Security & Risk Management at United Technologies