Do I need a CISO?

A Chief Information Security Officer is a senior-level executive responsible for protecting your data and intellectual property, and your information systems and processes. They understand your business strategy, your legal and market requirements, and your business’s risk appetite, and they ensure that these are all met.

They are also responsible for planning and implementing a business’s IT security strategy to make security decisions, to assess risk, and to keep the C-suite apprised of risk and risk management.

More broadly, they provide leadership and management throughout the business at an IT, process, and cultural level.

The fact is that security has become an enormous concern in our lives, and we need to keep our eyes open.

In a business the problem is magnified ten- or a hundred-fold. Aside from email and phone scams, which target businesses as well as individuals, there is a security risk every time your business hires a new employee or vendor, inks a new contract, connects your network to a new device, outsources any task, even makes a simple financial transaction. The risk is bigger when you take on investors or merge with or acquire another company.

This is why many companies hire a CISO. This is not the person who will help your company streamline its systems and processes or guide it through an ERP project. Nor is it the person who will set up the firewalls or install anti-virus software. Instead, a CISO is a strategic hire to put security at the heart of your business systems and processes.

CISOs become especially valuable as businesses become larger and more established. The job of security and risk management will simply become too big for the CIO or CTO. Another way to look at it is that the CISO frees up the CIO to implement the IT and technology that will help the business grow.


In the meantime, you can read CIO vs CTO: What’s the difference?


Why does it need to be someone in the C-suite? Because security is not simply a tech matter. Many of the highest-profile hacks have affected companies with highly expert teams and the most sophisticated security technology. Good security requires a commercially-minded leader who fully understands the detailed technical issues rather than just a technical expert.

A serious security lapse could cause your business catastrophic financial and reputational damage. A minor security lapse will cost you time and money. Any kind of lapse may have legal implications, resulting in lawsuits and fines.

On the other hand, addressing security concerns can provide a marketing advantage. In many industries, companies select suppliers who have impressive cybersecurity and compliance certifications. Thus having a credible leader like a CISO enables you to gain new clients, or secure funding, or generally raise your business’s profile.

CISOs are highly specialized and in-demand, so they command high salaries. Many mid-market businesses simply can’t afford to pay another executive’s full salary. Or they may be in an in-between stage where the security concerns are too time-consuming for a CIO but don’t yet merit a full-time salary. That’s why we often suggest a “fractional” or part-time CISO.

If you have questions about CISOs — or any other aspect of IT and technology, feel free to get in touch. We’re always up for a no-strings conversation about cybersecurity or any other aspect of running a mid-market business.

Visit our CIOs, CTOs & CISOs Knowledge Center which includes all content related to this topic.