Focus on the role of Chief Information Security Officer (CISO)

Insights from the Healthcare, Industry and Luxury sectors
By Christèle Arnoult

January 2024 | 4 MN

Mission: Dealing with the Threat

With a 22.9% increase in the exploitation of unique vulnerabilities in 2023, as reported by Orange Cyber Defense (Security Navigator 2024), the role of the Chief Information Security Officer (CISO) is of strategic importance in managing the cyber threat targeting organisations. Indeed, the CISO is responsible for guaranteeing the security of information systems within the organisation. Therefore, he manages all necessary resources and means to anticipate, identify and control potential attacks.

A full set of Super Skills to Master a Growing Menace

The main challenges the CISO has to deal with include protecting sensitive data, preventing intrusions, managing security incidents, ensuring regulatory compliance and raising employee awareness. As indicated by the latest ENISA report for the period July 2022-June 2023, the threats can actually take many forms (Top 5: Ransomware 31.32%, DDoS 21.4%, Data 20.09%, Malware 8.24% or Social Engineering 7.88%).

Even if he or she doesn’t wear a distinctive superhero costume, the CISO must possess “Super Skills” that go beyond the technical knowledge inherent to the role. These specific qualities enable the development of a systemic thinking approach and optimise the ability to carry out the mission successfully. Depending on the situation and the people involved, CISOs must be able to handle stress, act quickly but without haste, inform or negotiate diplomatically, engage teams through leadership and demonstrate a communication ability to raise awareness.

Quite the Same but still Different

The challenges faced in the Governance, Risk and Compliance (GRC) management are often common to several business sectors.

Here are a few examples of the CISO’s tasks:

• Defining security policy according to constraints and objectives
• Steering the implementation and monitoring of procedures
• Reviewing existing solutions and identifying areas for continuous improvement
• Managing the expenses
• Reporting to decision-makers
• Keeping up with ongoing technological and regulatory

As noted by ENISA, all areas of activity are impacted. Whatever the sector, the number of cyberattacks is on the rise. The report highlights the victim’s evolution: +115% for Educational Services, +109% for Finance & Insurance, +42% for Industry.

Within this context, even if the challenges faced by CISOs are often common to several sectors, there are inner particularities depending on environments.

Healthcare environment

The protection of personal and medical data is of paramount importance. Attacks on hospitals and healthcare systems are becoming increasingly frequent, jeopardising the confidentiality of medical information. CISOs therefore play a key role in securing patient data, ensuring the integrity of connected medical systems, and preventing ransomware that could compromise human lives by bringing part of a healthcare facility to a standstill.

Industrial businesses

Industrial businesses face specific risks, such as the threat of industrial espionage, manipulation of production line control systems and supply chain disruption. CISOs must therefore develop appropriate defense strategies, often involving securing smart factories, protecting production plans and preventing attacks aimed at destabilising supplies. Cybersecurity is thus becoming an essential component of operational management in the industrial sector.

Luxury goods

The luxury goods sector, with its iconic brands, is a prime target for cybercriminals. Online counterfeiting, theft of intellectual property and attacks on the reputation of the brand are some of the threats faced by CISOs. Thus protecting manufacturing secrets, securing electronic transactions and preserving brand image are all responsibilities taken on by a CISO.

What educational track is required to become a CISO?

Whatever the domain of activity, CISOs need to be able to adapt to different situations in order to successfully carry out their mission. Threfore, they need to possess quite a good technical grounding to understand how to orchestrate the security of applications and infrastructures. This will also help to communicate with the professionals developing and managing these digital ecosystems.

A general or technological baccalaureate with a specialisation in mathematics, computer science or engineering is also a good starting point. Then, there are different possible tracks: Engineering diploma, Master’s degree or an upskilled approach based on the value of a professional experience are the most common ways to the job.

What does our Public French Graduate Cybersecurity Research School offer?

In addition to cyber-oriented courses in IT, Networks, Mathematics and Data science, our CyberSchool Consortium offers 2 tracks dedicated to the CISO career:

• Master’s Computer Science, track Chief information security officer run by the University of Rennes
• Cybersecurity – post-master degree run by CentraleSupelec and IMT Atlantique

The Master’s Computer Science, track Chief information security officer is structured on the basis of one month in class and one month as an apprentice in an organisation where a senior CISO is mentoring the student. In creating this recognised the educational programme, our CyberSchool aimed to mobilise the best accurate resources to prepare to the specificities of the CISO’s role.

Franck Bouetard, from our programme management team, adds: “Students are currently working in a wide variety of sectors. Depending on the demand, we give priority to organisations located in Brittany, but some of our student are doing their apprenticeship in another region. By the way, one of them is currently working with a leading group based in Switzerland”.
Among the sectors in which students are doing their apprenticeship: Healthcare, Industry, Digital Service companies, Local Authorities, Institutions and Government entities.

By 2024, the last created CISO class will grow to 20 students: what if you were one of them?