It’s a common problem, and one we see all the time here at BTB Security. We conduct an annually required penetration test or security assessment for an organization and identify important security gaps that need to be addressed so that they don’t negatively impact the business. A frequently encountered example of gap is when too many employees have been granted unnecessary access to sensitive applications or data. The client takes some basic steps and they believe that the issues have been addressed but, when we return to do another assessment the following year, we find the same access control issues creating the same risk to the business’ information security.
What the company actually fixed were the symptoms, not the root problem. Their IT team cut off the access that had been granted to certain employees, which addressed the problem on the surface. But, without updating the underlying issue – the faulty onboarding process for new employees – they have continued to grant unnecessary access to a new group of people within the organization.
This pattern plays out in a variety of ways in many organizations. The reason: No single individual in the company is responsible for the business’ overall security stance. Some organizations make security part of an IT person’s job, but operational duties usually force security to the bottom of their priority list. What’s more, such a person tends to be more tactical, often dealing with immediate issues, rather than strategically and proactively identifying root issues. The result: even though the business spent good money to improve their security, the same issues keep cropping up.
Why your organization needs a CISO
Every company needs a Chief Information Security Officer (CISO). A dedicated security executive, the CISO reports directly to the business’ senior leadership and/or the board of directors. They are responsible for setting and overseeing the policies, standards and procedures that keep the company compliant with regulations and within tolerance of its risk appetite. It’s an important role and one that should not be overlooked.
However, small- and medium sized companies often hesitate to create such a position. First, it’s expensive: typical CISO salaries range from $200,000 to $300,000 annually. But, more importantly, companies may not know how or where to start when creating the position. Often, the business’ corporate leadership recognizes the need for better security but isn’t sure exactly what that entails. That makes it hard to go out and hire the right CISO, or effectively promote from within.
That’s why BTB created its CISO Advisory Practice which helps organizations create, implement and maintain practical, effective information security programs that are tailored for their business. On a part-time basis, yet fully integrated into the client culture, BTB provides a CISO-caliber person to work with the organization’s existing security personnel and collaborate with other functions like HR, Legal and Compliance, in addition to Information Technology. This individual identifies security needs, sets strategy and puts the right procedures in place for the organization by coordinating the implementation of any additional technologies or processes required and maintaining the program – all in alignment with the company’s business strategy. Some clients use the service long-term instead of hiring their own full-time CISO. Others use it as an onramp to getting their own CISO, in which case, BTB helps them build and implement a strategic security program, then helps them recruit, vet and hire the right candidate for the role.
When hiring, you’ll often find that there are plenty of candidates with the proper technical expertise for the role, but the key to finding a good CISO is getting someone who views the role as a business function, not just a technical one. Because BTB already knows the client’s business, and because we have helped design the security program, we have the expertise to help identify the best candidates for that particular client.
BTB’s service doesn’t end once a client hires their new CISO. BTB stays involved to help transition the new CISO into the role through training and coaching. By helping to match the right candidate with the right company, then making sure everyone works well together, we help the client achieve effective, long-term, strategic security.
Learn more about BTB Security and how we can help your organization improve its security posture through our CISO Advisory Practice or other security needs, including our MDR service that combines AI and deep human logic.