Setting up a CISO for success—this is how we did it
Pragmatically introducing CISO function while respecting the company culture, thereby avoiding a prior 10M€+ investment case.
01. THE QUESTION
Digitisation is going fast in pretty much every industry. As an important importer and distributor, our customer didn’t sit around waiting for innovation to pass by. They created an online space for their customers with a search tool, a personal account space, an app, etcetera. But such a far-reaching online presence and storage of clients’ personal info comes with risks. After all, hackers love data — and they’re constantly looking for companies that aren’t secure enough to get their hands on their data.
Our customer understood you can’t play around when it comes to cybersecurity, so they appointed a Chief Information And Security Officer (CISO). An important role, but not an easy one, as this person has to find a balance between creating a secure environment—within the budget, and without upsetting people with a too-tight security plan.
The customer had engaged one of the traditional large consulting firms to draw up the plans. The outcome was exuberant: overly complex, way too costly and no fit with the company culture. That’s why the new CISO asked Addestino to help draw up pragmatic plans regarding team members and responsibilities.
02. THE PROCESS
We first made a list of all the tasks and responsibilities of a Chief Information And Security Officer: Identity and Access Management, Cybersecurity, Emergency Response, Disaster Recovery, etcetera.
Once the tasks and responsibilities were clear, we looked at how the CISO should act. Should they be a ‘red’ type: someone who’s very dominant and controlling. Or should they be blue: someone who factually reports on the current situation but lets others take care of issues. Then again, green types are more cooperative, working together with the team and the company to find the best solutions, security-wise.
Which type to pick depends on the company, its history, its needs and the dynamics within said company. For us, it was clear that our customer is a strong company where trust and working together is key. This meant the CISO needed to exude that same attitude, being someone who involves everyone in the security team and other key players in the company.
03. THE RESULT
The company now has a strong Information & Security team, headed by the CISO. A good working balance between security and the business has been found: the security level is definitely increasing, while the company culture has been respected. And all of this has been achieved in a fraction of time and budget of the original plan.
At Addestino, we love creating impact instead of telling exuberant stories.