ECSO has kickstarted its new webinar series dedicated to improving the collaboration and connections between C-suite cybersecurity professionals and HR professionals. The inaugural webinar, held on 12 June, shed light on advocacy efforts aimed at enhancing the description of the CISO role within the European Union Agency for Cybersecurity’s (ENISA) European Cybersecurity Skills Framework (ECSF). This online session was divided into two parts: a deep dive into ENISAs domain focus and the role of CISOs as per ENISA, followed by an open discussion on the CISO role, exploring missing elements. ECSO will gather input from CISOs on the ENISA ECSF document, which will be submitted to ENISA for future iterations of the CISO Role. Collecting this input will be facilitated through ECSO’s presence in ENISA’s Ad-Hoc Working Group on the European Cybersecurity Skills Framework (ECSF).

Fabio Di Franco, ENISA’s Lead on the ECSF, recognises the challenges of using different languages and jargon within the cybersecurity community, particularly between practitioners and academics. This disparity between technical terminology and everyday applications necessitates the establishment of a common language that all stakeholders easily understand. ENISA’s aim, with a common language, is to provide a clear understanding of required skills, consequently enabling candidates to prepare for their cybersecurity careers.

Furthermore, ENISA seeks to develop a comprehensive guide for HR planning in cybersecurity, including candidate assessment for future providers. This initiative also focuses on enhancing awareness of academic programmes, supporting career paths, and promoting skilling and reskilling opportunities. The framework includes 12 high-level profiles, not strictly job roles but expectations associated with these profiles. Among them, highlighted in this webinar, is the Chief Information Security Officer (CISO), responsible for managing cybersecurity strategy and policies within an organisation.

According to ENISA, the CISO role encompasses several vital responsibilities.

1. CISOs are responsible for designing a comprehensive IT management strategy, considering the unique needs of different organisations. CISOs assess the company’s cybersecurity posture and work towards more resilience of the organisation’s architecture.
2. CISOs play a crucial role in the implementation phase through upskilling and/or hiring cybersecurity implementors and ensuring the existing teams receive appropriate training.
3. On the operational side, CISOs establish and manage the Security Operations Center (SOC) to monitor and respond to security incidents.
4. CISOs identify areas for improvement and may employ external service providers for services such as penetration testing. In the context of the ECSF, it serves as a common taxonomy that assists young individuals in understanding the potential career paths available in cybersecurity.

In the second part of the webinar, an open discussion was held, and opinions were gathered from the participating CISOs. It is important to note that these opinions do not represent the official stance of ECSO.

Participants considered introducing an additional title, namely Business Information Security Officer (BISO), alongside the existing Chief Information Security Officer (CISO) role. Various feedback and opinions were shared regarding the distinction between these titles. Participants emphasised that the CISO and BISO roles should not be mixed. According to the discussion, a BISO will be a subset role that facilitates interaction with the team’s business side. At the same time, a CISO has a stronger focus on cybersecurity architecture.

Lastly, when summarising the CISO role, the following critical missing elements were highlighted:

1. Information: It was proposed that the word “information” should be included in the statement to emphasise the strong bias towards digital information. The CISO’s role includes responsibility for information security and formulating and implementing an information cybersecurity strategy.
2. Leadership: The aspect of leadership was identified as missing. The CISO should possess leadership skills and be able to lead management in cybersecurity matters.
3. Accountability: The CISO should be accountable for the overall cybersecurity strategy and ensure the continuity of information, cybersecurity, and business security. While there can be task segmentation (such as business and information security), the CISO’s accountability includes having a global vision of the company’s cybersecurity policy.

It was emphasised that the CISO role should not only focus on the information industry but should have a broader vision. The responsibilities of the CISO may vary depending on the sector, and it is essential to consider how CISOs responsibility is with other stakeholders, such as engineers in specific industries. Clear guidance must be provided in the skills statement on ensuring privacy, preventing security incidents, and offering advice to all stakeholders in managing risks related to information security.

To summarise, this first webinar provided a valuable opportunity to gather input on the CISO role within the ECSF scope. However, discussions are ongoing, and ECSO continues to collect feedback from CISOs on this topic. Once all input has been gathered, ECSO will submit the information to ENISA for a joint evaluation. It is important to note that not all input will be included in the final document sent to ENISA due to potential contradictions.

Stay tuned for another upcoming ECSO webinar on 12 July, which aims to facilitate the connection between CISOs and the HR Community.