Surviving & Thriving As CISO: 4 Key Security Challenges to Overcome


Chief Information Security Officers (CISOs) are living through turbulent times. It’s no wonder that a quarter of CISOs worldwide suffer from stress-related physical or mental health issues. And, more than half of those fail to “switch off” when they go home, a study Opens a new window by Nominet indicates.  In today’s risk-laden environment, it’s not simply security issues that they need to deal with, it’s employees, board members, and a growing list of regulations that are adding to their headaches. 

Clearly, there is a lot for CISOs to think about in order to survive and thrive in these turbulent times.  Let’s take a look at each of these four issues in detail.

1. Biggest Threat to an Organization’s Cybersecurity Is Employees 

You may think that hackers are the biggest problem CISOs need to tackle, but sometimes, employees lead to more data breaches than hackers. No surprise here, it’s the staff that click on links in spear phishing attacks and fail to check suspicious email that appears to come from a senior executive.  On top of that, employees notoriously tune out IT’s message about good password hygiene. 

Here are three ways employees continue to be the weakest link in the security chain: 

Insider Threats: The recent Twitter hack shows insider threats can strike any company. Hackers use social engineering techniques to coerce staff to copy company-confidential data and send it to them. This data could be a list of customer credit card numbers etc.

Making it personal: The second problem with staff is them performing actions that compromise or destroy data. This could be as a result of them making a serious mistake, or it could be because they are disgruntled in some way and feel it only fair that they should take a list of your customers to their new job, for example.

Lack of trained personnel: The third problem is finding qualified security staff who can maintain the security of your IT system. Because of the importance of this, and the comparative rarity of trained security staff, salary expectations can be quite high.

2. When the Board Doesn’t Understand Security Risks As Well As You Do?

Typically, board members are skilled in financial areas and human resources. What is often lacking is to find board members who really understand IT issues and who are familiar with the kinds of metrics that a CISO will want to present to them. 

Check out two ways boards impact security preparedness: 

Not recognizing security as a critical issue: The consequence is that no matter how cogent the presentation put forward by the CISO, the board won’t get it. They will only see that IT teams are asking for more money. And they will not be able to understand the risk assessment made by the CISO.

Justifying security investments: The board also controls the IT security budget. They may not understand how important good security is. They may not realize that hackers are no longer disgruntled teenagers sitting in their homes, but are teams of highly-skilled people using the latest automation to attack organizations and towns. They will attack anyone with IT infrastructure that needs to stay in business and some are even state-sponsored. CISOs find themselves unable to show the board a tangible return on investment.

Learn More: The Path to Cyber Resilience Lies in Antifragile Culture: Lessons for CISOs

3. Failing to Recognize Security As a Shared Responsibility  

The global pandemic has resulted in many people working from home, and many companies are not expecting to see their workforces in the office until the next year. On top of that, there is a massive change in the devices that are accessing the corporate network. This growth in BYOD usage has led to new security risks. How does the security team know that the person logging in really is who they claim to be? This comes on top of the growing use of cloud and Internet of Things (IoT) devices. 

IoT and cloud bring new security challenges: 

Getting too comfortable with cloud: Too many executives assume that moving to the cloud means secure data and applications. The issue is that security becomes a shared responsibility. Some of that responsibility is down to the cloud provider, and part of the responsibility lies with the organization. That’s the part security leaders need to get right. 

Locking down IoT devices to beef up security: IoT devices rely on a central point of control, which is the cloud. So, again it’s important to ensure that it is secure. Newly-connected devices, the cloud, IoT devices can expand the attack surface – making the network vulnerable from a number of sources.

4. Lack of Cybersecurity Regulatory Framework  

We’ve grown familiar with GDPR data protection regulations and, more recently, the California Consumer Privacy Act (CCPA)  and its effects on how data is collected, stored, and made available. These stringent regulations make security against cyberattacks even more important. 

CISOs must ensure their organizations’ security structures are aligned with the new regulations. In addition, there are compliance requirements for taking credit card payments. The Payment Card Industry Data Security Standard (PCI DSS) specifies information security standards for organizations that handle credit card payments. Failure to comply could result in an organization being unable to take credit card payments. Similarly, HIPAA sets standards for health care record compliance. SOX is intended to prevent corporate accounting scandals. And there are others that may affect an organization, which it needs to be compliant with.

4 Ways to Get Ahead of Security Risks 

While organizations are ramping up security defenses, the threat of cyberattacks has not abated. If anything, attacks have intensified with the rise of cloud, and the cost of data breaches has surged.  Cleaning up after a breach and recovering data can cost millions and even lead to reputational harm. 

Now more than ever, a change of pace is needed in the following areas:

1. Improving Security Posture and Culture

Staff need to be trained to recognize phishing attacks and other kinds of social engineering attempts. And they need to be regularly reminded of their training. Online courses are available, and spoof emails can be sent to random staff members to see whether they respond to the email. If they do, they need further training. The statistics from each round of spoof emails should be published to highlight how aware the company is as a whole of these kinds of attacks.

Alerts need to be set up to identify when data is being copied or destroyed. Backups need to be able to recover data to as close to the time of the incident as possible. And the identity of the culprit needs to be sent to security in case it is a malicious insider attack.

Meanwhile, finding qualified and experienced security staff can be an issue. Gartner predicts Opens a new window that the number of unfilled cybersecurity roles will hit 1.5 million by the end of this year. It may well be worth training a member of staff to take on the role. They will already know your systems when they start to protect them.

2. Make the Board Understand the Costs of Risks 

It’s important that the CISO regularly presents to the board about security issues. It’s also important that when the CISO is writing papers for the board, they bear in mind the board member’s level of expertise. Board members will see the importance of security if the CISP puts things in terms of larger financial implications. 

For example, in 2014, JP Morgan Chase was hacked because of an error made by one person. This led to a cyberattack and compromised data associated with over 83 million accounts (76 million households and 7 million small businesses). It’s only by attending board meetings that the CISO can gain any kind of insight into the strategy the board has in mind and can help to steer it to incorporate security best practice.

Again, by highlighting the consequences of not spending enough money on IT security and indicating the severity of the threat from teams of hackers, CISOs can start to make board members aware of the defense spending that is required, and so get them to allocate the necessary funds.

Learn More: COVID-19 Shows That CISOs Who Can’t Investigate Threats Won’t Last

3. Adopt Smarter Access Control Solutions  

Ensuring that authorized people are accessing the applications can be achieved by first moving to multiple factor authentication (MFA) and then to zero-trust architecture. This will identify anyone who isn’t behaving as expected and block them and alert security staff.

Solving security issues around cloud and IoT devices requires trained security personnel who can monitor and understand threats posed by endpoints.  With the expanded attack surface from cloud to endpoints it’s important that CISOs maintain a grip on what’s going on. That means they need all the information on a single dashboard, showing information from multiple streams of network traffic.

4. Get Familiar With Regulations

Legal experts within a company need to ensure that the CISO is up-to-date with new regulations (if they aren’t already) and an audit will show whether the legal requirements are being met. The board must also be informed to ensure compliance fits in with their strategy moving forward and is not ignored.

Bottom line

CISOs need to start addressing the issues mentioned above so that they are better positioned to start looking at other pressing problems — such as new security technologies they should be investing in for planning a safe return to work for employees. They also need to weigh the right vendor partners that offer flexible and scalable solutions and look to implement frictionless technology that is easy to install, configure, and manage. Finally, they need to rethink disaster recovery plans that are agile and responsive.

Are there other challenges that CISOs are facing?  Comment below to let us know on LinOpens a new window Opens a new window ” aria-label=”undefined (opens in a new tab)” rel=”noreferrer noopener”>kedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!