Do you need a CISO?

When asked if they need a chief information security officer (CISO), many small and midsize organizations say no.

According to Gartner, the common reasons given are:

"We are not regulated, so we don’t need a CISO”

“We are small and not a target.”

"We don’t have anything anybody would want.”1

While these statements may reflect popular opinions, statistics tell a different story. Around the same year of Gartner’s survey, just under half (46%) of all cyber breaches that year impacted businesses with less than 1,000 employees.2 In addition, 82% of ransomware attacks were against that same segment of companies (those with less than 1,000 employees).3

Fast forward a few years, and the story is similar. A study released in June 2023 states that 61% of SMBs (in the U.S. and the UK) were hit by a cyberattack in the past year. The same study also found that 87% of IT decision-makers at Mid-Market organizations experienced two or more successful attacks during the same period, and 89% of attacks involved data exfiltration—the unauthorized transfer of data by a cyber thief.4

What about 2024? Although the year is not finished, mid-year analysis released from Check Point reveals some insight on the trends. According to the company’s research, there was a 30% increase in cyberattacks globally in Q2 2024 from the previous year, which turned out to be an average of 1,636 attacks per organization per week.5

The cyber landscape is one of constant threat. Cyberattacks, whether targeting known vulnerabilities or flooding servers with traffic or simply using brute force tactics to guess credentials, are persistent—they will never go away, only increase in frequency. In fact, ransomware attacks are predicted to occur every two seconds by 2031.6

In 2021

%

of all cyber breaches impacted businesses with less than 1,000 employees2

Fast forward to 2023

%

of all cyber breaches impacted businesses with less than 1,000 employees2

Do you need a CISO? Before you decide, let’s review what a CISO actually does.

Responsibilities of a CISO

CISO is a key leadership position. Specific responsibilities of the role may vary by organization, but at the core, the CISO is the primary person who creates and leads an organization’s information security program.

Building a security program requires a core set of functions made up of programs and sub-programs with appropriate governance for oversight and enforcement. At a minimum, organizations of all sizes need standard policies and procedures for incident management, identity and access management, data management, and change management, as well as a security architecture that protects against threats and vulnerabilities.

CISOs are responsible for:

Understanding industry regulations for security

Developing a security strategy

Creating and overseeing an information security program that complies with regulations

Building a cybersecurity framework to protect assets, applications, data, and systems

Developing processes and implementing technology to address all aspects of cybersecurity: prevention, detection, mitigation, and recovery

Evaluating risk and managing the governance, risk, and compliance (GRC) process

Executing security awareness training for employees and contractors
Interacting with department leaders to educate them and collaborate on security

CISOs serve a vital role in protecting an organization. Hiring a person to fill the position, however, can be a challenge. CISOs are highly-skilled, well-paid professionals who earn annual salaries ranging from $177,000 to $314,000 or more.7 There are few with the experience needed to carry out the duties of the role—and the ones who have it are typically unavailable and hard to lure away from their current employers.

Up Next: AI and the Quest for Better Information Security

Continue Reading