In an ideal world, every organization, large or small, would prioritize security enough to make sure it has the necessary staff and resources to manage it effectively. Of course, in reality, that’s not the case. One big problem standing in the way is that it’s rarely clear what is “necessary” in the first place — Do I need someone who owns security? If so, does that person need to be a chief information security officer?

It doesn’t help that there’s no one right answer, and that “effective security” can mean entirely different things depending on the business and your situation.

The point of this post, then, isn’t to tell you exactly when you should be looking for a security leader, or whether you should hire a CISO at all. Instead, it’s to help you step back, take stock of your company’s specific security needs, and make that decision yourself.

First things first: Security is a function, not a person

Where a lot of small (and sometimes large) organizations struggle is thinking that security is a person or even a group of people.

Security is not at all like buying a TV for the big game. When you want a TV, the buying process is very simple. You can search for “new TV” anywhere on the Internet and get inundated with various TV models, where to buy, what features they have, and the best price that will meet your needs.

When you search for security you get … well, give it a try and see how far you get. Hiring someone to own security can be seen as a great first step for many companies, but let’s not forget that having a CISO in and of itself does not make an organization inherently more secure (some CISOs would argue it only gives an organization a place to point the finger when something bad happens). We shouldn’t lose sight of the fact that better security requires four things:

  • People
  • Process
  • Technology
  • An organizational commitment to all three

What is becoming an all-too-often practice in reality is that a CISO is brought in in the wake of some big security event and public disclosure. The proverbial security hounds come in, point lots of fingers, gasp at the fact that you didn’t have a CISO (as if that alone would have prevented the incident), and the next day a CISO search is announced.

The problem with this approach is you may not be hiring for success. When the business is on fire, it makes sense to bring in the firefighters, but what happens the next time when you realize it’s actually a plumbing problem and you think you need a plumber instead? Or when the roof blows off? Wait a minute, now you need a roofer. And on it goes.

The reality is, being in crisis mode often biases your ability to think clearly about what the business truly needs. You end up looking for the fastest way to make the immediate problem go away.

3 questions before you even think about hiring a CISO

In order to save you and any potential CISO you hire a lot of time, resources, and heartache, you need to make sure you understand how security fits into your organization and, more importantly, how this function will be empowered to make sometimes uncomfortable organization changes.

If don’t have a sense of the goal posts you are kicking toward, I can almost guarantee you will miss. You need to be ready for the function, otherwise you won’t be successful with the person.

Answering the three questions below will help you develop a basic understanding of what your specific security needs are:

1. What are you trying to protect? This seems almost silly to ask, but many organizations don’t really understand what their critical assets are. Is it customer data? Or is it the secret recipe for Mama’s BBQ sauce? Is it stored in the cloud or kept in a vault? Either way, without knowing what you are trying to protect, you can’t hire the right people to make sure that is done in the most efficient and economical way for your business.

2. How much risk are you willing to take? This goes hand in hand with understanding what you are trying to protect. Since there is no such thing as perfect security, you have to have some understanding of what risks you are willing to take. Who are you willing to trust?

3. How much are you willing to spend? Security is not a discipline without a budget. Ultimately, your budget will reflect and inform your decisions about risk, but in order to determine an appropriate and efficient level of spending, you also need to go back to your answer to question #1 — what are you trying to protect and how important is it to protect? If you don’t have the answers to those questions, don’t be surprised if you get a firefighter only to find out later what you really needed was a plumber.

The one thing you don’t want to do

The last thing you should do is hire a CISO because everyone else has one. Yes, you’ll be part of the club, but there’s no guarantee you’ll be any closer to being secure than you were without one. That said, you also shouldn’t wait to think about hiring a CISO until you find yourself in crisis mode and feeling the heat from your board.

The key is to take the time to understand what the role means to your organization (hopefully you’re doing that now, before you have a critical security event), so you can make sure you are looking for the right person, empowering them the right way, and budgeting for success with an acceptable tolerance for risk.

The truth is, even if you decide your organization doesn’t need a dedicated person or team managing security, that doesn’t mean there aren’t security needs, or that those needs aren’t being addressed (adequately, or not). Many founders and small business owners typically find themselves serving as “Chief Everything Officers,” but what we tend to forget is that in addition to sales, marketing, product, and service, security is one of those functions that always exists. The real question is whether it’s being actively (and effectively) managed or not.

Ryan Berg is Chief Scientist at Barkly. He holds multiple patents and is a speaker, instructor, and author in the fields of security, risk management, and secure application development. Prior to joining Barkly, he was Chief Security Officer at Sonatype and Chief Scientist and cofounder of Ounce Labs, which was acquired by IBM in 2009. You can connect with him on Twitter @ryanberg00 and on his blog.