What’s the Cost for Not Having a CISO on Staff? $600 Million?

A Chief Information Security Officer (CISO) provides executive-level leadership to an organization. The CISO oversees the organization’s cybersecurity and privacy programs and leads the strategic efforts to secure its business data and assets from internal and external threats. All organizations that are connected to the Internet need a person who’s responsible for establishing and maintaining their cybersecurity program. The only question is, can they afford it. Small organizations who can’t afford a full-time CISO can hire a virtual CISO (vCISO), who will work part-time for them for only the amount of CISO services they need. This could be as little as a few days a week, a couple of weeks a month, or on a project basis.

In this article, I will use the term CISO because most people are familiar with the CISO role. However, the role I am referring to may have different titles for the person who oversees the organization’s cybersecurity initiatives and provides the strategic guidance.

What’s the Cost for Not Having a CISO?

The cost for not having a CISO on your team is not something that you can easily measure. Some companies find out the cost, the hard way.

Ireland’s national health system, which is known as Health Service Executive (HSE) is Ireland’s largest employer with 130,000 staff members and is classified by European Union (EU) as a “critical infrastructure operator.” HSE provides public health services to the entire Republic of Ireland. When an employee opened an Excel attachment in a phishing email on March 16, 2021, it installed a malware on the device. This event was the beginning of a Conti ransomware attack that would cost HSE at least $600 million. According to Wikipedia, “The group responsible was identified as a criminal gang known as Wizard Spider, believed to be operating from Saint Petersburg, Russia.”

The Board of the HSE asked PricewaterhouseCoopers (PwC) to conduct an independent review. PwC published a 157-page Independent Post Incident Review on December 3, 2021. Perhaps the biggest shocking news in the report was that the HSE was running this massive national healthcare system without a CISO. PwC determined that HSE had 15 inexperienced full-time cybersecurity staff members, which included two students. According to PwC, “The HSE does not have a single responsible owner for cybersecurity at either senior executive or management level to provide leadership and direction.” The moral of this story is obvious. Having a single responsible owner for cybersecurity, like a CISO, is crucial and may have prevented this ransomware attack.

Because HSE didn’t have a dedicated person to oversee its critical infrastructure, it cost them $600 million. Even if HSE would have hired a CISO at $1 million per year salary, they could have still potentially saved hundreds of millions of dollars. We’ve all heard lots of outrageous stories about organizations not taking their cybersecurity seriously, but in my opinion, HSE tops the list.

Does hiring a CISO guarantees that your business won’t get hacked? Of course, not. Having a CISO, however, ensure there’s an experienced executive-level person who can focus on protecting the organization from cyberattacks, provides the strategic leadership, understands risk management, knows how to best secure business assets, and can explain to the senior management and Board of Directors what the company’s risk appetite and tolerance is. I disagree with people who say that employing a CISO makes sense for only large organizations. There are too many small organizations who provide crucial services to our critical infrastructure sectors and government agencies. They need a person with a CISO-type role just as bad as some of the larger enterprises. The fact of the matter is that large corporations rely on small organizations to do business. Therefore, securing smaller organizations is just as important.

The organizations who don’t invest in a dedicated cybersecurity executive, such as a CISO, are a sitting duck waiting to be hacked. The first thing they will do after they are hacked is to hire a consulting company, who will tell them they need to hire a dedicated CISO. We have seen this movie too many times. Because digital attacks are not “visible” like a missile strike, it’s hard for these organizations to visualize them. Getting hacked and suffering huge financial losses seems to be the only way for them to realize that cybersecurity is important and cyberattacks are real enough to hire an executive who will be devoted to overseeing the entire cybersecurity program. This includes all corporate-wide security programs, standards, procedures, information security policies, regulatory compliance, cybersecurity awareness training, secure software development, vendor risk assessment, and much more.

Who Should CISO Report To?

I strongly believe that a CISO should always report directly to the highest authority within the organization, such as a CEO or President. James Carder makes a compelling case in this Forbes article Why Your CISO Should Report Directly To The CEO. By making CISO report to the Chief Financial Officer (CFO), Chief Information Officer (CIO), or Chief Operating Officer (COO), you are minimizing the importance of their role and also impacting the budget for your cybersecurity program. Simply put, other CxOs do not have the security obligation or responsibilities that the CISO has. Their position also doesn’t require cybersecurity to be the highest priority. The CISO should work closely with other CxOs to better understand the organization’s security risks and propose the budget to the CEO accordingly. This will also put the organization in a much better position to decide how much risk it is willing to accept. There should be no buffer between the CISO and the CEO.

Security Intelligence suggests, “For more accountability, a CISO should report to the chief executive officer (CEO) or another C-suite executive who is not the chief information officer (CIO). Creating strong integration and interaction between the CISO and the rest of the C-suite creates enhanced resilience and protection for organizations.” In the article Why CISOs Shouldn’t Report to CIOs in the C-Suite, the author makes a valid point that information security is a business risk, not a technical risk. “With IT leading the way for information security, it made sense that the senior security professional came from the IT department. We are at a crossroads today where we need to move security out from under IT and treat it as a business risk rather than a technical problem.” Therefore, CISOs should be elevated from IT to the C-suite to establish more visibility. The CISO role has much more responsibilities beyond the traditional IT, and that’s why CISOs are no longer reporting to the CIO and CFO.

It’s important for CISOs to have a high-level visibility to do their job effectively. It also makes the employees, Board of Directors, and shareholders realize how serious the organization is about cybersecurity and protecting its business assets. As a Certified Ethical Hacker, I know a thing or two about how hackers think. The hackers are more likely to target an organization that doesn’t have a CISO, even if the organization has a very strong cybersecurity infrastructure in place behind the scenes. If a company has not invested in hiring a dedicated security expert to run their cybersecurity program, it would only make sense that hackers target these low hanging fruits (in their mind) first before taking on the more “challenging” tasks. By highlighting the presence of a CISO on your company’s website, you are also enhancing your credibility with your business clients. In addition, it will be easier for your organization to pass an external security audit for a regulatory compliance certification, such as ISO 27001 or Sarbanes-Oxley (SOX), if you are represented by a CISO.

Joan Goodchild makes some compelling points in her article to support the case for CISO reporting directly to the CEO. She also points out that CISO reporting to a CIO can be harmful. “And some research backs up the notion that a CISO-CIO reporting structure can be harmful. A report from PWC finds that financial losses are 46% higher in organizations where the CISO reports to the CIO.” A CISO-CIO reporting can also cause other issues, ‘“If you consider the CIA triad (Confidentially, Integrity and Availability), CISOs and CIOs can have conflicting objectives. CIOs will prioritize availability, whereas CISOs are focused on confidentially and integrity,” said Rick Holland, CISO of Digital Shadows. “Potential conflicts of interest can complicate CIO-CISO reporting lines.”’

Organizations who make the CISO report to an executive other than the CEO, primarily do it for the following reasons:

1. Internal company politics.
2. Lack of better understanding of the CISO role.
3. Tradition (CISO reported to CIO in the past, so why change now).
4. Flatter someone within the organization or Board of Directors.
5. Unwillingness to reorganize the business.

From a business perspective, none of the above reasons are justifiable. A CISO reporting directly to the CEO is necessary in today’s digital world where information security is key to the survival of every business.

CISO vs. CSO: What Should be the Title?

The titles Chief Information Security Officer (CISO) and Chief Security Officer (CSO) are two of the common titles that organizations use for their highest-ranking security professional. So, which title should your organization use and how do you decide? First of all, in my opinion having a dedicated individual in charge of the organization’s security program is much more important than the title itself. Having said that, if you just go by the title itself, a CSO is responsible for physical security and safety of people, while CISO is responsible for security of information assets. However, 80% of the large enterprises use the CISO title. According to CSOonline, “IDG’s 2020 Security Priorities study found that CISO was the most common title at 41% of respondents, as opposed to 14% who worked at companies with a CSO and 16% for other titles. Interestingly, large enterprises are more likely to call their top security exec a CISO: 80% of those surveyed use that title.”

Why do majority of organizations use the CISO title? The CISOs are responsible for securing information assets. In the old days (1990s and early 2000s), the physical security used to be very different. Today, with massive digital transformation across so many industries, physical security has morphed into digital security. Digital badges have replaced ID cards, key cards have replaced locks on buildings and server rooms, and security cameras have replaced security guards. Check out this interesting document by Cybersecurity & Infrastructure Security Agency (CISA) called Cybersecurity and Physical Security Convergence.

From my perspective, due to the convergence of physical and digital security, what we are really protecting are “information assets”, which are CISO’s responsibility. We protect physical assets like computers, servers, buildings, etc. because they contain information. We also protect people, which are considered an important business asset, because they also possess information. So, if information security is one of our primary objectives, it makes sense to call the top security executive CISO.

Organizations Need to Pay More Attention to CISO Role

The CISO role is an important role. Despite all the cyberattacks and loss of revenue in the past decade, a lot of organizations still fail to recognize that the cybersecurity threat is real and that a cyberattack can literally make them go out of business. And it’s not just the small businesses that need to be more aware of the cybersecurity risks and hire a security expert at the senior executive level, large enterprises also need to pay more attention to the CISO’s role within their organization. Unfortunately, cybersecurity doesn’t seem to be a high priority for a significant number of companies listed as the Fortune 500, which is a Fortune magazine’s list of 500 of the largest companies in the United States in terms of annual revenues.

A Bitglass.com report found out that 38% of the 2019 Fortune 500 companies don’t have a CISO. This indicates to me that they assign the CISO duties to another executive who handles cybersecurity as a secondary role in a limited capacity. I know many businesses who practice this strategy. As the owner of a cybersecurity company told me once, he is fully aware that his company has grown considerably, and they haven’t really done much in terms of cybersecurity. He said, “I know we are a sitting duck and it’s only a matter of time when we’ll get hacked. I don’t really want to be in the news and it’s keeping me up at night.” And yet, he hasn’t invested much in securing his company. He has implemented MFA and some random policies here and there but there is no comprehensive plan, strategy, or a cybersecurity program. This is not an isolated case.

I know many organizations, including cybersecurity companies and Managed Services Providers (MSP) who offer cybersecurity services to other organizations, that have practically no cybersecurity program and no CISO or other dedicated individual to oversee their own information security. The sad part is that many actually believe their organization is secure, when it’s not.

As the graphic below indicates, the 62% of Fortune 500 companies that have a CISO, only 4% have listed them on their company leadership pages. This is exactly the opposite of what these Fortune 500 companies need to do. They need to hire a CISO and make sure his/her picture and bio shows up right next to the CEO, so everyone knows they have a CISO on their leadership team.

Keep in mind that Bitglass.com report is three years old, and things are changing rapidly. With FBI, CISA, and DHS warnings about the potential cyberattacks from our adversaries, the CISO position is in high demand. In addition, CISA education has raised cybersecurity awareness and many organizations are now interested in achieving various regulatory compliance certifications, some because of requirement, while others just want to enhance their security posture.

The Cyberwar Requires a CISO

The United States is currently engaged in a cyberwar with our adversaries for well over a decade and every business that’s connected to the Internet is a target in this digital war. If you have any doubts about us being in the middle of a cyberwar, check out some of these articles.

1. Is the U.S. in a cyber war?
2. America is Losing the Cyber War
3. The Not-So Secret Cyber War
4. America is Under Cyberattack

Can you imagine a country willing to fight a traditional, physical war without a Secretary of Defense (or equivalent)? If the answer is no, then it doesn’t make sense for an organization to fight a cyberwar without a dedicated CISO. In other words, just like a country would not want, let’s say, the Secretary of Treasury to lead its military operations in a traditional war, an organization’s CFO should not lead the company’s security team in a cyberwar. Only a dedicated CISO is qualified to lead a team of security experts and successfully maneuver around the onslaught of continuous attacks in a cyberwar that’s stealth by nature.

Does your organization have a dedicated security executive like a CISO?

Additional Reading

Here are some articles related to the topic in this article that are worth reading.

1. U.S. Intelligence Agencies Warn About the Cyber Threats Posed by the Chinese Government
2. Is the U.S. in a cyber war?
3. The Not-So Secret Cyber War
4. Cybersecurity and Physical Security Convergence

Copyright © 2022 SeattlePro Enterprises, LLC. All rights reserved.