BOOK EXCERPT The Secure CIO
W
hen I began asking CIOs what problem they were solving by hiring a security professional, the answers didn’t surprise me. Responses such as ‘The audit and risk committee told us a recent audit showed we need to address cyber risk better, and this included hiring a leader to take responsibility’ were common. Some responses focused on domain expertise, having an expert to define the strategy and mitigate the organisation’s security risks. Some of the less common responses were that a security leader was needed to advise the CIO and that security awareness was key to their remit. The overwhelming majority spoke about protecting the customer. This is a great place to start as a rationale for having a security team and a security leader. If you put protecting your customer at the heart of what you do, your reason for being will be similar to that of the sales, marketing, finance, and operations teams: retaining the customer. Protecting the customer also means retaining your reputation in the market and ensuring the resilience of systems to continue operating through threats and incidents. The point of this chapter is that no matter what your reasons are for bringing in a security leader, you are prepared to back this leader in their pursuits to deliver. You don’t want to hire a scapegoat. You don’t want to
What is your why? ‘If you hire people just because they can do a job, they’ll work for your money. But if you hire people who believe what you believe, they’ll work for you with blood, sweat and tears.’ - Simon Sinek, author hire one person to do the job of many, and you don’t want to hire a security leader so the organisation can wear it as a badge of good corporate citizenship. Hiring a security leader takes work, some of which needs to be done before they arrive. Understanding what you need them to do, what they will be stepping into, and how you plan to support them emotionally, financially, and organisationally is incredibly important. Yes, these leaders are grown-ups;
