When Should a Startup Hire a CISO?
A CISO is an important role in organizations of any size. But how big should a company grow before hiring one?
When a business starts from the ground floor, it’s usually a small team wearing a lot of different hats. The head of Marketing will also be the HR manager, the CEO acts as a CFO and a COO, the designers are writing copy and everyone—everyone—is getting coffee. In that startup stage, the team is smaller, the business is smaller and inherently the risk is smaller, too.
But as the company grows, all those things change. Roles need to become more defined to be effective. More tools and infrastructure need to be put in place. More people need to be hired. And your data needs to be more secure than ever.
The problem is, deciding when and how much to adjust as growth occurs is one of the most difficult decisions young companies face. Hiring too many people too fast can drain your capital; waiting too long to invest in a particular tool can hinder growth. It often comes down to a judgment call. And there is one call I see getting pushed off more than any other: When should we hire a CISO?
What Is a CISO?
Enterprises around the globe realize the benefits the cloud has over traditional computing. However, the cloud presents unique security challenges; security in the cloud needs to be addressed with the same diligence as on-premises software. That’s where a chief information security officer (CISO) comes in.
A CISO is a senior-level executive within an organization responsible for ensuring information assets and technologies are protected adequately. Essentially, the CISO develops a strategy to protect your company’s data.
The CISO does this by working with the team to identify, develop, implement and maintain processes across the enterprise to reduce information and information technology (IT) risks. They also respond to incidents, establish appropriate standards and controls, manage security technologies and direct the establishment and implementation of policies and procedures.
Who Handles Security If You Don’t Have a CISO?
It is possible to succeed without a CISO, but you’ll need to ensure that you outsource some of the components of your security to different companies. There is a wide variety of tools out there—and sometimes your engineering team can deploy them for you.
Managed security service providers (MSSPs) provide some level of management over almost any security service, such as firewalls and VPNs, content filtering, DDoS protection, security monitoring and vulnerability scanning—all of which can almost all take place in the cloud. MSSP’s are a great and cost-effective way of gaining access to specialized security tools and expertise.
Ultimately, though, new businesses aren’t always taking these precautions—and they’re suffering for it. How do they decide it’s time to make the call and invest in a new executive hire to take care of these issues?
Data is More Precious Than Ever
When to hire a CISO? This is a question that plagues companies of all sizes—even larger companies often don’t have a CISO in times when they obviously, desperately, need one. But for a fragile startup it can be even more problematic. A CISO protects your data, and businesses are built on data. But these young, new companies tend to think they can protect themselves without help. They think their IT team can handle it or maybe they have a CIO they believe will cover those bases. The CIO is the most senior executive in an enterprise that works for traditional information technology and computer systems, supporting enterprise goals, so it might seem natural to turn to these leaders for security strategy. In fact, a recent study by IDG, “82% of CIOs expect their IT & security strategy to be tightly integrated in the next three years.”
But by that same report’s findings, CIOs are moving more and more away from the practical responsibility of data protection. That’s just not always their main role; they’re involved in digital transformation, business strategy, revenue generation and other big-picture tasks. They don’t have the same level of understanding of cybersecurity as a CISO.
So as these startups face explosive growth, who is staying diligent about data security? It might not be the most glamorous job, but it’s certainly one of the most essential. And it’s exactly what a CISO is for.
Unfortunately, what ends up happening is CISOs simply don’t get hired in time. It’s not until the worst happens that companies scramble to hire a CISO in the midst of a data breach—which can often destroy small businesses. Don’t make the same mistake. Be proactive: Hire a CISO before your organization has grown to a level where your chief information officer (CIO) cannot handle everything.
What Skills Should a CISO Have?
If you’re not sure whether you need a CISO just yet, consider whether you understand exactly what a CISO can do.
When facing a crisis, CISOs have to inspire trust within their engineering team and the C-suite. They have to connect to different teams, build relationships and maintain serious expertise of cybersecurity. Among other things, here are the top skills that you should look for when considering a CISO hire:
- MBA with a specialization in information systems, finance, or accounting.
- IT experience.
- Risk assessment and management experience.
- Certifications such as CCISO (certified chief information security officer) by the EC-Council, CISSP (certified information systems security professional) by ISC², and the CISM (certified information security manager) by ISACA, to name just a few.
- Business experience.
- Financial acuity.
- Communications skills.
Inside threats, security breaches, malware attacks and numerous other security threats are preventable with a robust security infrastructure in place. With this in mind, the function of a CISO is to ensure an organization’s network, data and applications are secure. With corporate data increasingly moving to the cloud, you need to be intentional and ensure your organization is taking steps in the right direction; don’t fall into the trap of thinking your business is immune to cyberattacks.
