The Deputy CISO or DCISO role has become more common among security teams at larger enterprises.
This piece details the emerging DCISO role and provides guidance for security leaders who are considering adding this position to their team.
Defining the DCISO Role
The DCISO typically reports to the CISO or CIO. Depending on the size of the security function and complex needs of the business, an enterprise may have several DCISOs heading up individual departments
that ultimately fall under the security umbrella.
For example, an enterprise might choose to have a DCISO leading compliance which helps reduce the risk of non-compliance fines and penalties. Dedicated leadership keeps the focus on data privacy and breach notification laws without drawing resources away
from other security initiatives.
READ: Understand Variations of the CISO Role
Benefits of a DCISO
A DCISO can play a variety of roles within an organization including overseeing SecOps or A&E which keeps the focus on continuous security improvements. Key benefits of hiring a Deputy CISO include:
DCISOs Streamline Security Operations
A DCISO org structure helps to streamline security operations for large enterprises with complex business unit infrastructures. DISCOs can manage day-to-day security operations when security resources get stretched thin. By placing high-performing security
talent in leadership positions as needed, the CISO’s functions are not compromised. This allows the CISO to focus on strategic long-term objectives and provide leadership oversight continuity.
READ: How to Structure the Information Security Function
DCISOs Accelerate Communication and Reporting
DCISOs act as a liaison between the CISO and other departments to efficiently communicate current security status ensuring that all stakeholders remain informed of cybersecurity developments. They can identify and assess business unit risks and develop
strategies to mitigate those risks. Communication becomes much easier when the organization knows who is responsible for every piece of the security picture.
By defining the value of security investment through reporting dashboards and KPIs, a DCISO helps ‘keep eyes’ on the big picture. This can speed security improvements on
an enterprise scale fostering a more successful security program throughout the organization.
DCISOs Support CISO Succession Planning
As a backup to the CISO, DISCOs enable efficient succession management of the security program to minimize risk and hedge against the impact of a departing security leader.
In addition, should the CISO be unavailable for any reason, DCISOs can continue to drive critical security initiatives forward.
DCISO Recruiting Tips
Given its recency, a certain amount of ambiguity still exists around the DCISO role. As a result, HR and other recruiting arms of the business can find it challenging to bring on the right talent. Consider the following tips to help recruit and retain
- Work with your HR team to define the DCISO role to align with real-world business requirements.
- Update security salary bands to reflect the true value of the DCISO role; expanding the hiring budget will attract top-level security leadership talent.
- Focus on paying rates in top quartile comp brackets to gain a recruiting and retention advantage.
- Use a knowledgeable third-party recruitment firm to speed the process and provide a competitive edge in the market.
Download: Security Organization and Compensation Benchmark Study
How to Maximize the DCISO Role
As a niche-focused role, the DCISO excels when given the right balance of responsibility and decision-making authority. Organizations should carefully define the role in the context of the business’ real-world security needs.
Maximizing the value of the DCISO role requires carefully analyzing your security organization posture and threat landscape. When a particular category of information security tasking routinely requires significant time, energy, and resources, it becomes
a good candidate for specialized DCISO leadership.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.