Anyone who wants to protect their value creation networks against industrial espionage and sabotage today has to deal with an almost unmanageable number and type of attackers and weapons: from pishing emails, USB sticks, IoT devices, smartphones to eavesdropping attacks in the canteen - the weak point for a fatal attack on intellectual property (IP) or critical infrastructures of the production process can open up anywhere.

Due to the numerous, diverse and often easily overlooked vulnerabilities, it is correspondingly difficult to effectively secure the most critical targets. Security technologies can help; in addition, however, companies generally build up effective protection or resilience against new attackers if an excellently qualified security officer is in charge of this task in the management team.

Shielding against the unknown

But which manager keeps an eye on the multitude of heterogeneous security issues and at the same time confidently manages interdisciplinary teams in order to permanently protect the company against threats from the unknown? Today, this responsibility lies primarily with the Chief Security Officer (CSO) and/or the Chief Information Security Officer (CISO). The range of tasks varies depending on the type of organization and industry. If you want to develop a suitable job description for your company, you should know the general differences between a CSO and a CISO and assign these to their objectives and tasks:

Chief Security Officer ...

• are holistically responsible for the security of communication and all other information systems, in particular for interfaces to external systems (e.g. Internet). This includes physical network and product security as well as the security of employees, assets and facilities;
• develop secure business and communication practices and procure appropriate products and technologies;
• are responsible for employee training in security awareness and compliance with security policies;
• have a professional background with a focus on law, business administration or a military career.

Chief Information Security Officer ...

• are responsible for general IT security in order to minimize operational risks based on the identification, development, implementation and continuous development of security-relevant processes;
• protect the IP and all valuable information in the company;
• develop and monitor the implementation of the company's information security strategy in all functional areas. This includes prevention, detection, incident response, risk and vulnerability management and security architectures. In addition, there are compliance issues, in Germany, for example, the implementation of the EU GDPR and the BSI KRITIS Regulation;
• Most CISOs have an IT or technical background: 59% of CISOs in Fortune 100 companies started their career in IT/IT security, 19% in the military or government institutions [1].

Managing the absence of security

The common denominator of both positions: both usually report to the CEO, CIO or CTO, but represent more than just another functional level. It is their responsibility to manage both security and the absence of security. On the one hand, this requires them to be able to think in scenarios like a risk and crisis manager. On the other hand, it is important to create a security awareness within the company that becomes an integral part of the corporate culture and mission. Reactive security management is not enough. On the contrary, the entrepreneurial added value of the work of the CSO and CISO must become clear, for example in the preventative elimination of security vulnerabilities between departments.

A good mix of technical and communication skills is an advantage here: after all, a CSO/CISO must not only be technically adept and clear in their statements when interacting with all employees, but must also be a trustworthy advisor for the board level. First and foremost, this requires a willingness to deal intensively with the challenges associated with information security - and the ability to develop solutions and communicate them in an understandable and participative manner as a manager.

Sources & further websites on the topic:

[1] Infographic "The anatomy of a CISO", Digital Guardian 2016.

https://www.techrepublic.com/article/infographic-what-makes-a-ciso/

https://www.csoonline.com

IDG CISO Security Study, 2016

ISACA/CMMI Institute Cybersecurity Culture Report, 2018

bitkom study "Economic protection in the industry", 2018

IT baseline protection compendium of the BSI, 2019

The author

Jessica Volkwein, Managing Director of the executive search consultancy LAB & Company © LAB & Company

Jessica Volkwein, Managing Director of the executive search consultancy LAB & Company, regularly highlights technologies and trend developments in Industry 4.0 from a leadership and HR management perspective in the "Smart Leadership" series.