Information security and its management should be considered by all companies regardless of size

Information security concerns companies of all sizes and comprises much more than IT security-related aspects. “A Chief Information Security Officer is an expert who's responsible for systematically mapping potential risks, both technological and organisational, which could negatively affect the company’s operations, and for designing adequate protective measures. The work of a CISO is very well characterised by the phrase: it's better to be safe than sorry,” KPMG’s cyber security expert Igmar Ilves said.

The CISO must ensure that the company has internal information security policies in place, which are approved by a decision of the company’s management board. In addition to technical (IT-specific) guidelines, the policies should, among other things, set out the requirements for protecting the company’s information by its employees when they are outside the company’s premises and the rules to be followed by persons visiting the company’s premises. The information security policies need to be regularly reviewed and kept up-to-date by the CISO, as technology and hence the methods used by criminals are constantly changing.

“It’s a fairly common perception among many businesses that information security takes a lot of money, although the likelihood of an incident is low. Therefore, the attention paid to security and the resources allocated to it remain rather minimal. It’s true that some companies can operate for a long time without experiencing any security incidents, and becoming a victim of an attack is indeed a bit of a ‘gamble’. However, we have seen quite a few incidents where a well-known company’s reputation is damaged as a result of a cyber-attack or a physical attack on its infrastructure. By the way, information security incidents should not be seen as deriving solely from external threats, as it can also happen that a company’s employees disclose sensitive company data, intentionally or unintentionally, to third parties, via social media, for example. Therefore, it should be borne in mind that information security is a real and important issue that can affect the sustainability of a company’s business, and any company, regardless of size, should think about the risks involved. Otherwise, there's a risk of potential loss of customer trust, reduced profits and reputational damage,” Igmar Ilves said.

“Incidentally, we've also noticed that companies which have experienced a cyber-attack often don’t have a separate position or role of a CISO,” Ilves added. Companies that have established a CISO position or have an employee performing that role are generally in a better situation. However, according to Ilves, many companies tend to worsen their situation by putting the CISO under the Chief Information Officer (CIO).

“Taking into account the importance of IT solutions in the different processes of a company today, it's understandable why such decisions (the CISO under the CIO) have been made historically. However, such a setup will likely lead to contradictory situations. First, information security must encompass the protection of all company data and not be limited to IT. In other words, the job of the CISO is to protect the business as a whole, not just IT-related equipment and data. Therefore, the domain-specific competencies of a CISO are much broader than those of a CIO. Second, working under the CIO creates difficulties in allocating resources to information security, as the focus and priorities of the CIO don’t necessarily coincide with those of the CISO. Third, it is the CIO’s responsibility to ensure that information systems are set up in accordance with security best practices, while the CISO is the person who should check these systems from a security point of view. The third point shows a clear conflict – it is more than likely that the CISO would have to give orders to the CIO, their superior. Some CISOs may not dare to point to problems in such a situation. Obviously, every company is different, and its specific characteristics should be taken into account when creating roles and hierarchical relationships. Having said that, I believe most companies would benefit from a structure where the CISO reports directly to a senior manager. However, the situation where the CIO performs the role of a CISO is even more problematic because it is clear that the CIO does not really have time to perform the tasks of a CISO properly and, besides, they often lack the required competence, too.”

Security issues need to be addressed in a smart and resource-efficient way

According to Igmar Ilves, it is probably not feasible for most small and even many medium-sized companies to hire a full-time CISO. Yet, many of a CISO’s tasks are still extremely important for these companies as well and should be addressed in some way. To start with, any company, regardless of its size, can certainly perform some tasks itself without having to recruit anyone in addition. For example, it is possible to conduct an internal information security threat assessment in a simplified form, where the company’s key personnel hold informal brainstorming meetings and work out scenarios that are most likely to have the greatest impact on the company. A lot of useful information on potential risks is easy to find on the internet and completely free of charge. This way, a company will have at least some idea of the threats that might affect its business and what security measures should be considered. “Of course, if a company doesn't have the relevant competence, it may, based on such a risk analysis, assess the situation inadequately, but such an assessment is still better than nothing,” Ilves said.
“There are quite a few organisations and companies where the responsibilities of the CISO are shared between different people, but life has shown that they don’t have much time to deal with security issues in addition to their main job. As a result, the information security situation remains poor,” Ilves described. Even if a company has an adequate information security policy and rules (e.g. created with the help of another company), the absence of a CISO means that the company does not have a competent person who would have the time and resources to monitor compliance with the established rules. And if there is no control mechanism in place, the rules are either not followed or are followed inconsistently.

CISO as a service – a sensible choice for many companies

Suppose a company does not have an in-house CISO but needs such an expert (or its current CISO needs support). In that case, an alternative to hiring is to outsource CISO responsibilities to an external service provider.

“One of the services that KPMG offers its clients is CISO as a service. What this means essentially is that we fill the position of a CISO in the client’s company. Regarding working time, the standard options are from quarter-time to full-time, but all this is negotiable based on the client’s needs. We will provide the support for as long as a company needs it. For example, a company may need CISO as a service for one year. In that case, we'll perform the tasks of a CISO for one year, and after that, the company can continue the work using its own resources,” Ilves said. He added that another argument for using CISO as a service is that it is extremely difficult to find suitable and well-qualified candidates for the position of CISO.

“With CISO as a service, there's no need for a company to spend resources on recruitment, salary and social security charges. In addition, it's not necessary to invest in maintaining the employee’s competence.”

CISO as a service is not provided by just one person, but KPMG’s service involves an experienced team who, in addition to years of experience in the field, also hold various internationally recognised professional certificates. “Our strength is our people. All members of the team have gone through a rigorous recruitment process to ensure that we have found the best of the best for our team. It's also important to note that our team members’ experience is diverse, increasing the value of the service for our clients. The team members include computer network security testers, web application security testers, cloud security testers, IT auditors, analysts, digital forensics experts, former CISOs, system administrators, software developers, and many others,” Ilves said. Therefore, CISO as a service certainly provides more value to a company compared to hiring a single expert.

“It's very difficult to find a highly qualified CISO with excellent knowledge of both organisational and technical security, and the monthly salary cost of such an expert is at least 5,000 euros. It's also worth bearing in mind that recruitment itself takes time and money. After hiring, the CISO will have to be paid a salary plus labour taxes, and they will have to maintain their skills through high-quality IT security and cyber security training courses. In the long run, hiring a person is very likely to be more expensive and of less value than buying in CISO as a service offered by KPMG, for example,” Ilves said

Igmar Ilves
Senior Cyber Security Advisor
KPMG Baltics OÜ