COMMENT
Companies recognize the importance of cybersecurity and are increasingly incorporating it as an asset into their operational strategies. But by mixing security and operations, organizations may be diluting the chief information security officer’s (CISO) core mission: protecting the company’s assets from unwanted attacks.
Starting in the 1990s, the role of the CISO was more technical and IT-focused. Security was black and white and departments strove to eliminate anything deemed a risk. In the last 20 years, however, work has changed. CISOs face more risks than can be resolved, are required to balance security with operational capacity, and must convince leaders to invest in security.
Today, CISOs are also expected to comply with business needs while still being accountable for breaches. At networking events, I see more and more CISOs with business backgrounds focusing less on the IT aspects of the job and more on supporting business priorities.
This step can leave companies in a precarious position. Relaxing cybersecurity diligence for the sake of speed not only threatens the security of company data, but also creates unnecessary risks. And it’s not insignificant. Second “Cost of a Data Breach 2023” report from IBM the average cost of a data breach in 2023 was $4.45 million, a 15% increase over three years.
In 2024 we must once again rethink the role of the CISO. Today’s CISO must help their organization understand that prioritizing risk reduction is critical to the company’s resilience in the face of modern threats.
Today’s CISO: the resilient politician
CISOs were once able to sell their importance based on the idea that, in IT terms, the sky was falling. But when the business and security aspects of companies merged, corporate responsibility came into play. CISOs’ focus has shifted from risk avoidance to attitudes toward risk and consideration of what level is acceptable in pursuing business objectives.
In many cases, revenue-generating business units now have the final say on what level of risk is acceptable, including cyber risk. Meanwhile, business leaders who have become more comfortable with cybersecurity no longer want to feel like the sky is falling. Instead, they want the CISO’s focus to remain on growth and profitability, while protecting the company from cyber attacks. With the proliferation of ransomware, CISOs must not only prevent, detect and remediate security risks, but now must consider how resilient systems are to cyberattacks that can derail the business. CISOs also need to focus on how quickly the company can recover from a cyber event.
The good news for CISOs is that many of these roles have been elevated to true C-level positions. The bad news is that their role is primarily advisory, secondary to what leaders consider to be acceptable risk. Considering the growing pressure from the Securities and Exchange Commission (SEC) and the Department of Justice in this regard CISO responsibilities following a cyber attackthis position is rapidly becoming untenable.
The next phase for CISOs
To be successful today, CISOs must develop new skills while maintaining strong fundamentals. Here’s how you can achieve this.
-
Learn how to speak to the board. CISOs must be negotiators. They need to advocate for greater security and convince boards and business units of the risks in terms they understand. How a CISO approaches this task may vary depending on whether the board members’ expertise is in technology or business. It may be helpful to provide a demonstration that frames technical risk from a business perspective. CISOs should also talk to other C-level executives, as well as CISOs from other industries, to get early consensus and diverse perspectives on similar conversations they are having with their boards.
-
Get comfortable with grey. CISOs need to feel comfortable developing a risk-based approach that focuses on the importance of resilience, because attackers will enter. Developing a tested plan to respond to attacks is just as important as implementing preventative measures. And always remember that you can’t provide absolute security… it means balancing risk with cost.
-
Emphasize the fundamentals. CISOs should build a deeply technical team that can focus on core security practices. They should perform practice exercises on scenarios such as system shutdown or inability to connect to the Internet. CISOs don’t have to rely on assumptions about how to respond; examining and testing all response plans is vital.
-
Be attentive to technology. Security teams today have too much information to analyze. It is essential to consolidate data and invest in automation. In a previous role, I found that my team spent a third of their time collecting data and creating reports. It’s not a good use of anyone’s time. Automation can help. This will also enrich your team’s career by being able to focus on security and not administrative functions.
-
Document everything. When a malicious incident occurs, blame is often placed on the CISO. In recent years, CISOs at major companies have been fired, called to testify in court, and, in some cases, charged with crimes. CISOs should develop a cyber attack response plan, document each step, and strictly follow it. This may not save the CISO’s job, but it may keep it out of court.
A new CISO for a new threat landscape
THE The enterprise IT landscape has changed significantly over the past 40 years, becoming increasingly dispersed, cloud-based, and central to the conduct of business. The same is true of the cyber threat landscape, with breaches now widely considered inevitable. With so much change, it is unrealistic that today’s CISO will have to operate the same way as in decades past. In this new environment, CISOs need to redefine how they balance cyber resilience and operational needs, interact with senior executives and the board of directors, and provide technical and team leadership.