Today’s CISOs are under attack from many sides, both inside and outside their organizations. Of course, there are many bad actors using new and more sophisticated exploit methods to penetrate their networks. But even internally they are under fire.
The requirements for a modern Chief Information Security Officer are many: staying abreast of the implementation of new technologies and protection measures, of course, but also improving the skills and morale of the staff and, above all, assuming a leadership profile and a higher responsibilities in reducing overall compliance. risk and legal liability.
Second Forrester’s recent security program recommendations report“The eyes of the world are on CISOs, but not in a good way. There is now a long list of sacrificial CISOs who have been fired or left due to disagreements with their companies.”
Navigating what comes next isn’t easy, but here are five tips from Forrester’s analysis that might help you identify some paths to success.
Empathy can rebuild trust after a breach
One consequence of the ongoing assault on corporate networks is the erosion of trust, especially between customers and business partners, according to Forrester analyst Heidi Shey, in a recent article report on brand implications resulting from privacy violations.
He recommends that CISOs conduct a critical review of both cybersecurity and privacy risks across the entire operation, including partner and vendor ecosystems, because, as he wrote, “robust privacy oversight, practices and accountability structures will form the basis for the creation of new products and solutions.” support the ethical and responsible use of data in your digital transformation.”
However, CISOs must also be empathetic and transparent with timely post-breach notifications, understanding the concerns of vendors, partners and customers about the harm that breaches can cause, regardless of who is to blame for the incident.
“There is a tendency for self-preservation after a breach and it makes sense to keep information to yourself, even afterward, once the event is over,” says Max Shier, CISO at Optiv. “However, cybersecurity professionals and particularly CISOs must ensure that there is as much information sharing as possible to help others learn from the event.”
Be honest when you make mistakes
Part of this rebuilding of trust is that CISOs need to provide clarity, take ownership when there are issues, and be proactive in working with various stakeholders to resolve them.
“Practice radical candor with your constituencies and key leaders,” is a tip from Forrester. In other words, ask the tough questions and work to reach a consensus.
“Transparency, understanding and keeping lines of communication open can help the entire supply chain cope with an event if something is disrupted down the line,” Shier says. “It’s critical to have a resilient supply chain, but it’s also critical to help each other during and after an event, as there are ripple effects up and down the supply chain.”
CISOs can’t afford not to pay attention to their liability in the event of a data breach: a company analysis of the top 35 violations in the world in 2023 found that organizations paid nearly $2.6 billion in fines for exposing 1.5 billion records, of which nearly half of the breaches occurred at public agencies and healthcare-related industries. This list includes breaches of many of the world’s largest telecommunications providers. Of the 35 major breaches, all but one occurred in the European Union and the United States.
Operational transparency: much more than just PR
Additionally, transparency should be a natural part of a CISO’s program, not just something that is triggered in post-breach situations. Part of the motivation is compliance, as analysts at Forrester have noted.
“Regulators are pushing for greater transparency,” they wrote. “They are making it easier by offering incentives to security leaders to act in the best interests of customers – and themselves – with the threat of legal action. Lack of transparency leads to a violation of the law, a breach of trust, and continued of transparency theater. In other words, do what you say you’re going to do with your data.”
In an other report released earlier this monthForrester analysts also gave this advice to security managers: “Do not sign your name to third-party risk assessments, insurance underwriting documents, or regulatory compliance statements that obfuscate or hide program or product flaws.”
In general, CISOs need to “own it, recognize where things have gone wrong and work proactively to fix it, including as many stakeholders as possible to make sure we’re fixing the root cause and identifying any other issues that may have been missed,” he says Shier. . “This is especially true now that CISOs are increasingly being held personally liable for issues that may arise from corporate negligence or persistent, known, unmitigated security issues.”
Pay more attention to improving the skills of your staff
CISOs must also keep staff updated on new technologies, new threats and new prevention methods.
“Security is a moving target, things are changing so fast,” says Lisa Rokusek, a recruiter with her own St. Louis-based agency, called rokusekrecruits.com. “A lot of companies have had a terrible track record in terms of developing and then retaining their internal talent. That’s very short-sighted.”
The way forward is to invest in more and better upskilling programs, as Forrester analyst Jess Burn says he wrote in his report on the subject. “The lack of employees with security skills has been a key challenge for many organizations,” she said. “Investing in technology rather than training only widens the skills gap as professionals struggle to keep up with learning new tools versus developing skills in key areas.”
Embrace new technologies, but understand the context
When it comes to implementing new technology (generative AI, let’s say) it’s almost inevitable that at some point CISOs will find themselves caught in a vicious cycle. But it’s important to keep a clear head and think carefully about data privacy risks versus security benefits when dealing with new platforms.
“The cybersecurity industry is just like everyone else and also falls prey to hype cycles,” Shier says. “Artificial intelligence, Zero Trust and security platforms immediately come to mind. The CISO’s job is to evaluate the risks, the benefits, eliminate the marketing jargon and ensure a good balance between risks and benefits, while still enabling business. This is not an easy task, especially when artificial intelligence has truly changed the world, both for better and worse, and the need for implementation is extremely high, otherwise your business can quickly become irrelevant.”
As Forrester analysts noted regarding ChatGPT-like features, “prioritize usefulness over flashiness, realize the constraints of AI, and understand its impact” on a company’s infrastructure, data, and operations. organization.
Another example is the transition to the passwordless system. Forrester recommends that companies move toward passwordless and other better authentication methods to prevent future attacks. However, this is not something a CISO can simply turn on.
“At the 80,000-foot level this is all true, we’ve needed something better than passwords for a long time,” says Phil Dunkelberger, CEO of Nok Nok, a longtime authentication services provider. “That’s where the problem lies: as our customers begin to implement passwordless solutions, we’ve found that the devil is in the details; each vertical has its own security needs, its own regulatory mandates, and of course, the platforms vary widely as well .”