Use Your #1 Draft Pick on a CISO

Patrick Mahomes and Jalen Hurts were two of the best quarterbacks (QBs) in the NFL this season. Now, their teams are set to face off in Super Bowl LVII. Clearly, a football team’s success can hinge on its QB. The QB is the leader on the field, needing to make quick decisions and execute plays with precision and accuracy. In the business world, a company’s Chief Information Security Officer (CISO) can take on a similar role. The CISO leads the organization’s information security strategy, and works to protect the company’s assets and maintain compliance with industry standards and regulations.

What QBs and CISOs Have in Common

In fact, there are several traits that top-performing QBs and CISOs tend to share:

Leaderly: Both QBs and CISOs take on leadership roles within their respective teams. A QB must be able to inspire and motivate their teammates, and serve as a representative of the team in the public eye. A CISO must be able to communicate effectively with other members of the organization to educate them about risks and protection measures.

Decisive: Both roles require making quick and calculated decisions under pressure. A QB needs to be able to read the defense, call plays, and choose the right throws to make depending on the situation, while a CISO needs to be able to identify and assess security risks, develop and implement security strategies, and respond to security incidents in a timely and effective manner.

Adaptable: To make the necessary adjustments to their strategies, QBs and CISOs must adapt to different situations. While a QB needs to adapt their play style to different teams and defenses, a CISO needs to anticipate and respond to changing security threats and technologies.

Understanding: Without a comprehensive understanding of their respective fields, it is unlikely that a QB or CISO will be successful in the long run. A QB needs to have intimate knowledge of the game of football and the strategies and plays used by different teams, while a CISO needs to have a deep awareness of the organization’s technology infrastructure and the various compliance and regulatory requirements that apply.

What CISOs Do

Taking a timeout from the analogy for a bit, it’s worth understanding some specific functions that a CISO performs within an organization:

Developing security strategy: The CISO is responsible for developing and implementing a comprehensive security strategy that aligns with the organization’s goals and objectives. This includes identifying and assessing risks to the organization and its information assets, and developing plans to mitigate or manage those risks.

Implementing security controls: The CISO implements and maintains security controls to protect the organization’s information assets, including firewalls, intrusion detection systems, encryption, and access controls. This helps protect the organization’s sensitive information from unauthorized access and breaches.

Meeting compliance and regulatory requirements: The CISO must be familiar with the various compliance and regulatory requirements that apply to the organization, such as those related to the Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS), and General Data Protection Regulation (GDPR), and how to meet those requirements to maintain compliance. This helps to minimize the risk of costly fines and reputational damage.

Performing incident response: The CISO is responsible for developing and implementing incident response procedures, and leading the organization’s response to security incidents. This includes identifying and containing the incident, and taking steps to prevent similar incidents from happening in the future.

Communicating and educating: The CISO must communicate effectively with other members of the organization, including senior management, to educate them about security risks and the measures being taken to protect the organization.

Managing vendors: The CISO may be responsible for overseeing the security of vendors and third-party service providers that have access to the organization’s information assets. This includes reviewing vendor security policies, performing security assessments, and monitoring vendor compliance with security standards.

Top QBs and CISOs Require Significant Investment

Picking our analogy back up, another similarity between QBs and CISOs is that the good ones tend to require a significant level of investment. However, while the cost of a top-tier QB or CISO may be high, the value that each brings to their teams can be substantial. QBs like Mahomes and Hurts can lead a team to the Super Bowl, generating millions of dollars in revenue and potentially bringing home a championship. Similarly, a top-tier CISO that is able to protect a company’s assets and maintain compliance with regulations can help build brand loyalty and potentially save the company from costly fines and reputational damage.

The increasing sophistication of cyber threats and the growing importance of cybersecurity means that organizations have become more willing to invest in CISOs to protect their information systems and data. The high cost of a CISO is, therefore, a reflection of the importance of their role and the level of expertise required to effectively lead the security of an organization.

By investing in a top-notch CISO, organizations can better protect their information systems and data and navigate the ever-changing cybersecurity landscape. Whether the organization is just starting to build its security program or looking to strengthen its existing program, a strong CISO can provide the leadership and expertise needed to secure the organization and protect against cyber threats. After taking time to evaluate cybersecurity needs, organizations should use their #1 picks to draft the best possible CISOs for their team. Investing in a top-notch CISO can provide peace of mind and enhance the success of an organization.

Consider Drafting a Sikich vCISO

While it’s clear that the vast majority of organizations could benefit from having a CISO, not all companies can afford the high cost typically associated with one. For that reason, Sikich offers a virtual CISO (vCISO) service. Sikich’s vCISO service can help fulfill the role of a CISO while providing cost savings. Sikich can provide a dedicated and experienced CISO who can help develop and implement a comprehensive security strategy, manage security risks, and manage compliance efforts for your organization.

This vCISO service can be beneficial for companies that do not have the resources or expertise to hire a full-time CISO, but still want the benefits of having a dedicated security professional on their team.

To learn more about Sikich’s vCISO offering, please contact our team.

This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.

About the Author