Ernie Anderson, Head of Professional Services at Kudelski Security, speaks to Security about the importance of a deputy chief information security officer (CISO) and why this position is critical to addressing security risk management. 

Security: What is your background, current role and responsibilities?

Anderson: I have nearly 20 years of professional experience in cybersecurity consulting, including extensive work with CISOs and CIOs across multiple industries to define cybersecurity strategies and establish risk-driven cybersecurity programs. Before joining Kudelski Security, I was the North America practice lead for IBM’s Data and Application Security Services and have worked at Booz Allen Hamilton and Ernst & Young.

Currently, I lead Kudelski Security’s portfolio of professional and consulting services, including our CISO advisory consulting, technology and staff augmentation. Our services teams partner with CISO clients to help them define and execute a more strategic approach to their cybersecurity business. That includes project engagements and long-term support agreements that help define security strategies, deploy and optimize technologies, and provide skilled subject matter expertise.

Security: CISOs can have (arguably) the most challenging jobs on the organizational chart. Why is this the case, in your opinion? 

Anderson: There are a variety of trends that have done the job of CISO, one of the most difficult within a business. Companies have finally started putting more investment into security and risk management programs, so CISOs have a wider range of responsibilities, including being part of the executive team and more frequent reporting on progress to other leaders and the board (and taking the heat if sufficient progress is not made). There is increased pressure on CISOs to protect companies against increasing cyberattacks and risks, particularly when ensuring the remote or hybrid workforce is to access company networks securely. And many CISOs still lack the resources they need, whether it’s security tools or people.

Security: Why is a deputy CISO critical to addressing security risk management?

Anderson: Given all the challenges CISOs face and increasing responsibilities on their plate, having lieutenants or deputy CISOs is critical for an effective security team. Not preparing people to be able to take on the role of deputy CISO has created a virtuous cycle – there’s no one to take the CISOs place when they leave an organization, and the organization must then look to hire someone with experience from outside the organization, thus taking a CISO from another company. This is especially critical given the short tenure of CISOs – an average of two years. CISOs need to prioritize finding and training security deputies from within their organization and start early – it can take up to four years for someone to be fully trained to take on the role.

Security: What skills/qualities should a deputy CISO have?

Anderson: As the role of the CISO evolves, so too do the skills they need to succeed. Modern CISOs need business acumen to understand business processes and their organization’s goals, as well as the soft skills of relationship management and communication to effectively communicate risks and the importance of security to executive leaders and other key organizational stakeholders. Many CISOs are also more visible internally and externally, so they need the ability to lead people with a diverse group of skillsets, coaching skills to train and mentor deputies, and continually developing their skills to stay on top of the latest security management practices and tools.

Someone moving into the role of a deputy CISO needs to understand all the skills and qualifications required of a CISO to support them. That starts with understanding the domains typically overseen by CISOs – from security operations and identity management to risk and governance and regulatory and compliance issues. 

Think of a deputy CISO like an understudy in a play – they must develop the skills to take on the CISO role when needed. For example, while a CISO is responsible for managing risk at the highest level of an organization by overseeing people, strategy and technology, a deputy could be expected to support that by managing risk across different security domains.