Problem solve Get help with specific problems with your technologies, process and projects.

Why the role of a CISO can reduce the average cost of a data breach

Filling the CISO position with the right person can reduce the costs a company will experience from a data breach. Expert Ernest Hayden explains why.

The 2011 Cost of Data Breach Study conducted by Symantec and the Ponemon Institute provided some valuable information about the average cost of an enterprise data breach. The study, released in March, also recognized that organizations with a chief information security officer (CISO) in place experienced reduced costs for data breaches, which is right on target from my experience.

While it would be interesting to see an analysis detailing the percentage of enterprises with CISOs that has suffered a data breach, I do suspect that an organization without a CISO is more prone to a security fault. Why, you might ask?

In this tip, I'll explore what effect the CISO role has on breach prevention and determine whether CISOs can play a part in reducing the average cost of a data breach.

The role of a CISO: Security evangelist and conscience

Having a CISO sends a message that security is important to the business and can't be ignored.

First and foremost, having a CISO on staff (regardless of reporting relationship) essentially gives the company an internal security "conscience." A CISO can be a subtle, internal driver for employees and management to consider information security in their big-picture business decisions and in individual, day-to-day actions. Designating a CISO also demonstrates the executive management team's commitment toward ensuring a more secure environment, both for the company and its customers. Having a CISO sends a message that security is important to the business and can't be ignored.

In terms of data breaches specifically, a CISO gives an organization a designated in-house expert to handle a breach incident and any associated investigations. If the CISO's role is filled by a quality candidate, he or she will likely create an incident response team and an effective communications structure, including legal, human resources, public relations and IT operations, in the event of a suspected breach. This all means that a data breach is likely to be discovered, analyzed and responded to more quickly, limiting or often preventing serious monetary damage to a company. Without a CISO, there's often no guarantee that an organization will even know how to respond, never mind do so successfully.

Regarding CISO responsibilities and the CISO's role relative to security governance, I have argued before (and still believe today) that an effective CISO should be actively involved with the company and executive decision making. Also, rather than maintaining a "security bubble,'' the CISO should serve as an evangelist and make it a point to raise awareness that security is everyone's job.

Now, specific to the Symantec and Ponemon Institute findings, it would be helpful to know if companies with reduced data breach costs not only have CISOs in-house, but also have them as active players in the enterprise. Would they have meaningful influence in important IT and business decision-making processes, helping to shape business actions that reduce business risk? That, in turn, would reduce the likelihood of a data breach. I would wager that organizations with CISOs who are trusted and empowered in this way experience lower average data breach costs.

From the editors: More on managing IT security

Learn how to overcome a burdensome CIO

Should two departments share the information security burden?

Getting the most out of a CISO

What steps can be taken to boost security with a CISO on board? If a company has not already designated and assigned a CISO, it is important to put a qualified person in the CISO role as soon as is practical. Every large enterprise should have a CISO in this day and age, and many SMBs should too, or at a minimum have a director-level IT manager whose primary responsibility is information security. An organization should assign measurable responsibilities to a new CISO and hold that person accountable for the company's security posture and profile. Providing adequate funds to properly staff the security team is also important; even great CISOs need talent around them to affect real change.

The executive management team can help empower the CISO to be more effective by actively supporting and backing him or her. To foster an understanding that the role is an extension of the senior executive team, the CISO should also have the opportunity to meet and brief executive staff, the board of directors and key customers.

Security as a priority

Preventing or limiting data breaches and ultimately maintaining a secure enterprise means filling the role of a CISO with a strong candidate capable of sustaining the corporate security conscience. One of the trickle-down benefits of a strong CISO is likely to be reduced data breach costs, but enterprises must remember that a CISO alone cannot make them secure. He or she must be able to build out a quality team and, perhaps even more importantly, every member of the organization needs to buy into the idea that security is important to the business. A strong CISO must provide the reminder that security is everyone's job.

About the author:
Ernest N. "Ernie" Hayden, CISSP, CEH, is an experienced information security professional and technology executive, providing thought leadership for more than 12 years in the areas of information security, cybercrime/cyberwarfare, business continuity/disaster recovery planning, leadership, management and research in conjunction with his 35-year professional career primarily in the energy and critical infrastructure protection business. Based in Seattle, Hayden holds the title of managing principal – critical infrastructure protection/cyber security on Verizon's RISK Team, devoting much of his time to energy, utility, critical infrastructure and smart grid security on a global basis. Prior to his current position at Verizon, Hayden held roles as an information security officer/manager at the Port of Seattle, Group Health Cooperative (Seattle), and Seattle City Light. Hayden’s independent analysis may not always reflect positions held by Verizon. Read more of Hayden's expert advice on his contributions to the Verizon Think Forward blog. Submit questions or comments for Ernie Hayden via email at

This was last published in December 2012

Dig Deeper on Information Security Incident Response-Information

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.