How to be a CISO and why they should be on the board in Hong Kong
The Chief Information Systems Officer (CISO) role has come a long way since its genesis in the mid-1990s, when pioneer Steve Katz became the world’s first CISO for the newly formed Citicorp/Citigroup following a critical data security breach.
Then, CISOs spent their tenures lobbying for greater budgets to commit to security, only for the executive leadership team – in the event of the inevitable cyber attack – to end up asking ‘What happened?’ and ‘Why/how did we not prevent it?’.
Thirty years later, as the global digital landscape accelerates at full speed into the future, more and more candidates are asking what it means to be a CISO and how to succeed in today’s business landscape. We took a closer look at the CISO role with a Director at Robert Half Hong Kong and specialised tech recruiter with more than a decade of experience, Melissa Lau, and why it’s crucial they’re on the board of any organisation that reaches a level of complexity, risk exposure, or regulatory obligation that necessitates dedicated executive leadership.
How to be a CISO in today’s modern workplace
Since the mid-90s, protecting companies against cyber-attacks has raced up the agenda. Security specialists have grown in stature from high-end technical consultants to critical executive leaders working across every facet of a business. In 2024, the role of a CISO is a pivotal one in any organisation dealing with large amount of data, or that is highly regulated or at risk of cyber attack.
“The responsibilities of – and challenges facing – today’s CISOs are far-reaching,” says Melissa. “How to be a CISO today? In addition to leading the strategy for the business, board reporting, and executive leadership, the CISO will lead risk assessment and mitigation, policy development, compliance, and auditing/reporting. They’ll also design and maintain their organisation’s security architecture, and evaluate and implement emerging technology.
“With the average cost of a data breach in Hong Kong estimated to be HK$31.98 million, today’s CISO must also be ever-ready to lead the response to incidents when they do occur.”
Who does the CISO report to?
Though reporting structures will vary depending on a company’s size, industry, or hierarchy, the CISO typically reports to the CEO or another C-suite executive.
When reporting directly to the CEO, the CISO has direct access to the highest levels of decision-making within the business. Differing reporting lines tend to be reflective of the business’ strategic alignment of cybersecurity with operational, financial, or IT functions.
Related: 5 skills to shape modern leadership styles for Hong Kong executives
Why it’s crucial to have a CISO on the board in Hong Kong
Once you know how to be a CISO and what they do, it becomes clear why they should be on a business board.
Here are 5 reasons why it’s considered crucial to have a CISO on the board in Hong Kong:
- “With a CISO representing security matters on a company’s board, they can directly communicate what is happening in the business to its ultimate decision-makers. Security matters can be highly technical and complex, often getting ‘lost in translation’ without an expert advocating for them on a permanent basis, so having a CISO on the board ensures dedicated attention and resources are allocated to protect the business,” says Melissa
- The CISO also understands how fast the security landscape is changing and, of all board members, will be those most in tune with the evolving nature of the industry and the complexity of cyber threats. Internally, their impact is just as great; a CISO can share the latest insights with C-suite colleagues, enabling them to understand and appreciate risk in the context of the bigger picture.
- Strategically, while a CISO is constantly monitoring systems, they are also developing policies, training plans, and updates. In the boardroom, they can help everyone take a proactive approach to security, because their vision will influence others. With a CISO on the board, a company is much more likely to improve its security posture before an attack takes place.
- “Organisations with a substantial number of employees – typically 1,000 or more – and complex IT infrastructures require dedicated leadership for cybersecurity,” Melissa continues. “Likewise, companies operating in multiple countries face diverse regulatory requirements and a broader threat landscape, necessitating the strategic oversight a CISO brings to the table.”
- Fast-growing companies that are scaling their operations, customer base, and/or technology infrastructure should also consider appointing a CISO to manage expanding cybersecurity risks. Or if a business is undergoing significant digital transformation, such as adopting cloud services or IoT, it’s critical to have a CISO on the board to ensure security is integrated into all new technologies and processes.
Related: Don’t neglect your business succession planning, it will change your fortunes
Into the future: how to be a CISO of the future
No rest for the CISO! The role is constantly evolving in response to emerging trends and technologies impacting cybersecurity, and aspiring CISOs should be committed to understanding how technology continues to impact cybersecurity.
For example:
- AI and machine learning are being increasingly used in cybersecurity for threat detection, anomaly detection, and automated response capabilities.
- Zero-trust security assumes that threats are both inside and outside the network and so processes and strategies are needed regardless of whether people are inside or outside the network perimeter.
- With organisations increasingly adopting cloud services and migrating workloads to cloud environments (public, private, or hybrid), ensuring robust cloud security has become paramount.
- The proliferation of IoT (Internet of Things) devices in workplaces and homes introduces new risks – especially with so many people working in hybrid roles or from home full-time – due to their often inadequate security measures and potential for exploitation in large-scale attacks.
- Ransomware and cyber extortion attacks continue to evolve, with perpetrators increasingly using sophisticated tactics to encrypt critical data and demand ransom payments for decryption keys.
A modern CISO is someone with deep technical expertise who can represent risk and security at a board level but who is adept at communicating with executives at every level. They are skilled leaders, influencing the strategic decisions of their C-suite colleagues and those using technology every day. Their role impacts everyone in a business; their specialist knowledge ultimately helps to protect against the potentially devastating personal (and commercial) impacts of a cyber-attack.
When considering how to be a CISO, a successful one will combine business acumen and technical skills. No longer the lone voice in the corner pressuring boards for greater budgets to protect a business and its greatest asset – its people, CISOs are a trusted adviser in the boardroom, influencing strategic decisions that integrate cybersecurity as a foundational component of business operations.
Frequently Asked Questions (FAQs)
What qualifications are needed to be a CISO?
To become a CISO required qualifications often include a degree in computer science, IT, or a related field (eg law), coupled with certifications such as CISSP (Certified Information Systems Security Professional) or CISM (Certified Information Security Manager).
What is the role of the CISO?
The CISO is responsible for overseeing an organisation's cybersecurity strategy and implementation. Their role includes leading risk assessment and management, developing and enforcing security policies and procedures, ensuring compliance with regulatory requirements, and overseeing incident response and disaster recovery efforts. CISOs collaborate closely with executive leadership and IT teams to integrate security measures into business operations, educate employees on best practices, and stay ahead of evolving cyber threats through continuous monitoring and adaptation of security technologies and practices.
What skills are required to be a CISO?
To become a CISO, individuals typically need a blend of technical expertise, leadership skills, and business acumen. They’ll be effective communicators, strategic planners, and collaborators. Key skills include a deep understanding of cybersecurity principles, risk management, and compliance frameworks.
How does a CISO report to the board of directors?
A CISO reports to the board of directors by providing regular updates on the organisation’s cybersecurity posture, risks, and compliance status. They will develop and present reports outlining emerging threats, incidents, and the effectiveness of current security measures. They’ll also educate the board on cybersecurity best practices and trends, translating technical details into strategic insights that align with business objectives.