Do You Really Need A Ciso?
Had an excellent discussion with another CISO on what companies actually need (or have the capacity for), especially when first starting out.
For example, you want to go towards SOC2 compliance. You’re the CEO or CTO of a company and buy a tool out there, of which there are plenty, that will help outline for your organization all the necessary steps you need to take to be compliant.
Great. You know everything that needs to be done. Now what? Now you need to follow up with a variety of people to get all these things done. At this point, what you really need is a project manager or coordinator to follow up and document progress.
Or maybe you have SOC2 compliance already, and just not sure what real security issues exist in your environment. Well, in this case maybe you need a Security Architect or Principle Engineer? Someone with the technical chops to go deep in your environment, but has the macro mindset to help you identify security issues and give you solutions to your problems.
With me so far?
Well, say you have your compliance goals met and access to security engineers. What’s next? Well, you might not have a fleshed out Incident Response Program or a shallow, if at all, Disaster Recovery / Business Continuity Plan. Or you have a backlog of security issues identified but not remediated. Or your security culture across the company is just not there and needs improvement
At this point, this is where you need a CISO. Someone at the table with executives and leadership that’s able to influence and balance priorities. Someone that can make the case for SLA’s on application security issues, build a security culture, or help build and run an Incident Response Program.
A CISO will steer your ship towards real security, but is your organization ready for it?
When looking towards security help, ask yourself, do you need an experience security Project Manager/Coordinator, Security Architect/Engineer, or a CISO? Maybe all of the above?
That’s the problem we’re trying to solve. Our mission is to make security expertise more accessible to organizations and leaders, so we can all benefit as a society.