With the rise of digital transformation initiatives in 2020, a Chief Information Security Officer’s (CISO) already stressful work environment has become even more complex. A post-pandemic world has spawned other challenges for security professionals with the rise of remote work—like making sure data remained secure in an environment that wasn’t constantly monitored, Zoom hacks, secure API integrations, and dozens of other issues. CISO’s are facing more scrutiny about security posture from the Board of Directors than ever.
CISO’s needed to be on the top of their game—because, in addition to those high-risk challenges, countless businesses found themselves fast-forwarding their digital transformation initiatives to adapt to the new normal. 2020 has been coined as the year of the great accelerator because initiatives that had been put on hold were now suddenly necessary to support remote work. With the lack of in-person face time, combined with security risks, many businesses were playing catch up as threat models and control points changed, and they seemed always to find themselves one step behind.
Managing Expectations with the C-Suite and the Board
In the face of 2020, many C-suite executives and Board members became aware that there had been an underfunding of cybersecurity programs and threat monitoring. Companies didn’t have a culture to reinforce current systems, which created a perfect storm of vulnerabilities like key employees being targeted with credential-stealing malware, home networks becoming prime targets, and the mixing of personal and work environments that blurred data repositories. Wyatt Cobb, CEO & Co-Founder of SOFTwarfare, says, “Many executives realized that it was pay now or pay big later. No one wants to be the brand or that person on the front page of every newspaper talking about a breach.” This increased scrutiny only compounded a CISO’s already pressing duties and further stressed IT and cyber risk programs.
“The reality of incidents occurring is not an if—but a when,” Cobb continues, “addressing threats and risks as a C-level executive can come from a place of fear. There needs to be this sort of paradigm shift of, how are we going to manage this vs. how are we going to eliminate it?”
But getting executives on the same page can be a challenge when a lot of cyber risk management happens ‘behind closed doors’ and isn’t widely discussed and before 2020 was not represented in company culture. However, following 2020 and the volume of cyber events in the wake of remote work, we are beginning to see the organization’s security programs come under the microscope beyond the annual CISO Board presentation at the Board meeting.
Open Discourse and Be Transparent
A CISO does no one favors by keeping risk management strategies and vulnerabilities close to their chest. However, CISO’s often view their job tenure as unstable—and at the first sign of risks that have been exposed and exploited, they would be forced to move on. But according to Gartner, the average CISO job tenure is over 35 months. This tenure is rarely cut short by a breach, but many CISO’s operate like they’re one data breach away from being replaced. This negative cycle is detrimental to company culture and the C-suite as a whole, as the CISO may not feel like it is a safe environment for reporting to the board about threats and data breaches.
A study on 129 CISO’s by Gartner found that only 12% of CISOs excelled in all categories as defined by Gartner's CISO Effectiveness Index. On average, CISOs tend to allocate more valuable resources and time toward “tactical” activities than they would like. Top-performing CISOs report a better relationship and interaction cadence with non-IT stakeholders than bottom-performing CISOs, by three times as much. Top-performing CISOs manage stressors and fatigue more effectively than their bottom-performing peers.
To remediate this toxic mindset of replaceability, Gartner suggests organizations should identify gaps in behavior that will enable them to be more effective in their role. Delegate tactical activities to staff or other stakeholders and reallocate their time toward strategic planning and risk management. According to Gartner, immature organizations rate their CISOs on their ability to keep them safe and protected. Average maturity organizations assess their CISOs on their ability to manage risks, and high maturity organizations measure their CISOs on their ability to deliver value and impact the bottom line. So it comes down to CISO’s setting their companies up for success and vice versa, so they can all rise together and proactively manage risk.
Establish a Narrative
It is hard to put a tangible, measurable return on security investment for cybersecurity posture, integrated risk management, or risk assessment. For many higher-level executives, these are not the sorts of problems that will pop up on their desk multiple times a day, demanding attention. Instead, if the job is being done correctly, it may never pop up. The ‘invisibility’ of risks becomes an issue when going over budgets and business processes. C-level executives may wonder why there has been so much investment in these areas when there isn’t anything to ‘show’ for it.
Security strategy can be thought through, though, whether you’re a CISO, a high-level network engineer, or a CEO. Understanding where vulnerabilities exist and then intelligently processing those based on levels of criticality has been a strong approach for decades. It’s just a matter of getting all involved in the invested success of vulnerability management.
One way to mitigate these challenges is by establishing a narrative and demonstrating a supply value chain to align IT and business objectives. By showing the board the value added to the whole company through risk management at every step of the process, there’s a demonstration of return on investment as well as an underlining of the importance of making sure all data stays safe in the supply value chain.
Focus on the Future
A CISO’s responsibilities will only continue to grow as the world expands into digital transformation, and so will the pressure CISO’s face daily. However, with a plan in place and a mature risk strategy, it’s possible to be prepared for the ever-present threat of data breach.