The chief information security officer (CISO) is the pinnacle of a career in information security. The role has a bird’s-eye view of information security strategy and works closely with c-suite executives such as the CTO, CIO, COO, CFO, and even the CEO. Remuneration can be generous. CISOs in Fortune 500 companies may earn in excess of $400,000. That is besides any performance bonuses. But there’s no great reward without great responsibility. To be successful in this role, a CISO has to overcome a myriad of challenges. Here’s a look at some of the most pivotal CISO challenges.
1. Sophisticated attacks
Each year, the world makes substantial progress in cybersecurity regulations, standards, and tools. But cybercriminals are not resting on their laurels. The cyberattacks making news in the last year or two have been much larger and more sophisticated than those from just five years ago. When an attack occurs, it’s inevitable that all eyes in the organization starting from the board will be looking to the CISO for answers and direction.
CISOs must apply themselves to the protection of the organization’s digital assets against such attacks. That includes mapping out mission-critical systems, establishing robust technical and procedural controls, and regularly contracting ethical hackers.
Equally important, CISOs must manage the expectations of stakeholders beforehand. From Twitter and CNN, to PayPal and Uber, it’s clear world-class cybersecurity systems do not guarantee immunity. The board and senior leadership must recognize that no organization is immune to attack. When an attack does occur, the response, containment, and recovery are what will play the greatest role in the organization’s survival and prospects.
2. Getting all employees on the cybersecurity bandwagon
The complexity of the technology ecosystem, even in small and medium-sized businesses, makes it impossible for the IT and cybersecurity teams to secure it all on their own. Also, most data breaches are not the result of hard-fought technical hacking taking place in the shadows. Humans are the weakest link. So despite having the best cybersecurity systems and team, none of that will matter if employees are not on board.
CISOs have to be at the forefront of driving employee awareness and buy-in. This is best achieved by roping in the highest level of the organization into awareness campaigns and key cybersecurity-related communication. For instance, a message from the CEO is a great way to kick off an IT security awareness week.
Make security training and awareness activities interesting. Celebrate and reward employees who model the right cybersecurity behavior. Get employees to understand their personal responsibility to protect their user names and passwords. Let them be aware of how to report known or suspected cybersecurity incidents.
Develop an escalation procedure that starts from line managers and help desk support staff then goes up the command chain depending on the significance and severity of the incident.
3. Cybersecurity regulations
Data is the new oil. In this context, regulators around the world are scrambling to develop regulations that can keep step with the massive volume of confidential data in the hands of corporations. The urgency has grown especially rapidly with the growing sophistication of hackers as well as state-sponsored and industrial cyber-espionage.
Nothing is more representative of this wave of new cybersecurity regulations more than the EU’s General Data Protection Regulation (GDPR). As other supranational, national, state, and local regulators develop their own flavors of the GDPR, CISOs will have to work with legal and compliance teams in providing the leadership that ensures the company’s security, privacy, data protection, and policies comply with the new laws.
The regulatory landscape can get especially murky for multinational organizations due to region-specific cybersecurity laws. In such situations, it may be best to identify the lowest common denominator and develop a company cybersecurity policy with this baseline as long as it doesn’t violate any specific regulation.
4. The ransomware threat
Since the dawn of the Internet Age, organizations have had to grapple with a myriad of cyberthreats and CISO challenges. But one has emerged in recent years that stands out for its ability to endanger the very survival of entire businesses: ransomware. Though the history of ransomware goes back more than three decades, the type of ransomware the world battles today is far more destructive and complex.
Unlike other forms of hacking and malware, where criminals are simply interested in stealing confidential information, ransomware rides on extortion. In 2019, ransomware attacks caused billions of dollars in direct and indirect losses affecting some of the largest corporations in the world.
CISOs have to ensure their organization’s security infrastructure is designed to prevent and surmount a ransomware attack. This, however, has to go hand in hand with making sure every employee understands the different ways ransomware can enter an organization, such as email attachments or clicking on malicious links.
The CISO in liaison with legal counsel should also be prepared to present the full range of legal options available to the organization including the possibility of paying the ransom as a last resort to get back systems and data.
5. Shortage of cybersecurity talent
The demand for cybersecurity talent far exceeds supply. In 2019, the global cybersecurity workforce stood at 2.8 million professionals. This fell below the required headcount by a staggering 4.07 million. The industry needed a 145 percent jump in 2019 alone to bridge that gap. It’s clear this stark shortage is bound to be with us for years.
For CISOs, this is a headache they struggle with every day. The fight for talent can make bidding wars over remuneration dizzying and out of the reach of many employers. CISOs have to be more creative in order to ensure the organization’s security staffing needs don’t suffer due to the talent shortage.
One way would be to tap into and upskill employees already in the organization but who do not necessarily have a cybersecurity background. The second is to ensure each security role has a competent double who can stand in just in case of an unexpected vacancy. Third, leverage automated security solutions and minimize the need for manual intervention.
Recognize CISO challenges and act accordingly
CISOs are living and working in unprecedented, turbulent times. In today’s risk-laden technology environment, the responsibilities can feel overwhelming. The key to surviving and thriving is recognizing the most significant CISO challenges and taking measures to stay on top of them.
Featured image: Shutterstock
The CISO almost always is underfunded & under-appreciated. The “business” doesn’t recognize or acknowledge the darker undercurrents in security – the challenge is no longer the CISO’s but the others at the top levels of the company to start UNDERSTANDING you cannot send the security team into war with pea-shooters while the bad guys have howitzers.
My current company actively suppresses my many requests to invest in areas of concern (of which there are several) and this despite having gotten pimp-slapped by Maze just last year.
***This is posted anonymously to protect my job.