The Chief Information Security Officer role (CISO), is the most senior cyber security role in any organisation, and the role has developed rapidly in recent years under the wave of increased digital needs. With more customer data gathered and stored than ever before, the risk of implementing a sub-par security strategy effects every level of the organisation.
CISOs are the custodians, responsible for protecting the face of their business and trust of its customers as they engage with the organisation. They still have processes and programme delivery to manage whilst trying to stop people hacking into their systems, and every day can see something different happen. While this variety is one of the things that makes the role so rewarding, it can also be a nightmare when things go wrong. Below are three of the main things that keep CISOs up at night.
Managing the constant cyber risk
CISOs operate knowing that their organisation is likely under constant threat of attack, and it’s only a matter of when, not if, an attacker penetrates their defences. In situations where customer information is compromised by malicious actors, the reputational damage to the business can prove fatal to the CISO’s position.
However, while it is essential to keep the company as safe as possible, every business needs to be able to take risks, otherwise they don’t advance. For many CISOs, making sure security is not a barrier to progress is a personal challenge on par with defending against attackers. A CISO that is prohibitively risk averse can easily derail relationships with executives.
The tug of war between insuring that relevant risks have been identified, and the right approach has been taken in managing or mitigating them, while balancing with business needs, is extremely challenging.
Facing the board
Being agile in response to threats whilst keeping to security programme deadlines is near impossible without significant resources that comes with sign-off from the board. Aligning security strategy to wider business strategy is undoubtedly complex; but necessary to have real impact. This means a CISO must be adept at not only managing their security teams but raising issues with the board and winning their support for the necessary investment and action.
With buy in from the board a CISO has two major advantages. They can be a trusted partner to other executive decision makers in the business and also be team ambassador – providing value for the business agenda. Without being able to foster a good relationship with the board however, the security team suffers. They will be limited by the resources they have been allocated and feel like an unimportant silo to the business.
For many CISOs, this is where the reward for this job lies. Irrespective of boards or companies, being able to secure buy in from the board because you are trusted, will add value, this is what makes it worthwhile.
However, the task of confronting the board for more investment in security can easily lead to a CISO laying awake in a cold sweat. Security investments should be seen as taking out an insurance policy to provide protection in case the worst happens. However, it is still common for boards to see security as an expense that can be spared wherever possible, and CISOs often have to fight their corner. When a breach does occur, the CISO will not usually be able to go back and blame a lack of budget or resources for any shortcomings.
Spreading the word
Traversing who should be responsible for security risks in the organisation needs a Swiss army knife approach. For many security teams, there is an appreciation that security is not just the responsibility of the CISO. As all businesses are acting in a dynamic landscape, unless they have effective education at every level in the organisation, they cannot beat the myriad threats out there. Every organisation is at risk from being taken advantage of by a hacker and their ability to execute that depends on how staff react, not just security teams.
Awareness programmes and staff education play a large factor in this, as does limiting the ability of staff to fall foul to attack via access rights. Getting buy-in from executives and senior managers can be difficult if the evidence for such an extensive risk mitigation strategy is yet to be proven necessary due to a previous incident at the company.
At the same time, the perception of the CISO is, often, that they represent something of a roadblock and hinder progress. In many cases, this only changes when the CEO needs help and is able to witness first-hand the solution provided by the CISO. They can then see the value that an effective cyber security programme brings.
CISOs need to be decisive and ensure that their company has adequately invested in education for the workforce. At the same time, they must take responsibility for educating the board on their own importance and role within the company.
A common trap that more uncertain CISOs fall into is only being seen as useful in times of a crisis, spending their time waiting for the nightmare of a major security incident to begin. Those CISOs that are able to show decisiveness and leadership in handling security with the board and the rest of the organisation will not only be better equipped to keep the company safe, they’ll enjoy a better night’s sleep too.