Insights

CISOs, Do You Have Enough Resources to Do Your Jobs? No, We Didn’t Think So.

J.S. Held Acquires Stapleton Group & Launches Strategic Advisory Practice

Read More close Created with Sketch.
Home·Insights·Articles

Introduction

Be honest – how many of you CISOs out there are relying on a kind of “fingers crossed” approach when it comes to protecting your most valuable organizational assets?

If you are nodding quietly in answer to this question, you’re not alone.

We get it. The role and responsibilities of the CISO have changed dramatically since the role’s inception in the 1990s.

20 years ago, CISOs were focused on securing and defending the network perimeter. This meant ensuring firewalls were configured properly, vulnerabilities were patched, and anti-virus software was up to date.

Boy, has the role changed… The responsibilities have grown almost exponentially. I think this remark describes the evolution rather well:

“The role is almost a unicorn – technical, but with people skills. Executive-level, but with project management capabilities. Laser-focused prioritization, but with broad overview knowledge and understanding.”

Today’s CISO needs to be intimately acquainted with all the regulatory requirements pertaining to their industry, geography, and data sets. They need to safeguard the vast amounts of sensitive data, identify and block all IT security threats – whether originating internally or externally – and ensure staff has the knowledge to spot and block sophisticated social engineering attempts.

And we haven’t even touched upon the sheer complexity of today’s network infrastructure and the myriad systems, apps, and devices they are expected to keep securely available for authorized users.

Reading this, it occurs to me that CISOs who’ve adopted a "let's-pray-we-don’t-get-it" strategy are not just putting the company, its business partners, employees, and customers at risk, there is also the huge personal risk of being fired or “appropriately reassigned.” A CISO is a perfect scapegoat here.

And for every fair dismissal or reassignment, I’m willing to bet there is a smart, hard-working, well-intentioned CISO that gets caught in the crossfire, simply because of his or her job title.

Recently, at a SecureCISO Boston conference, we asked attending CISOs a number of questions around mitigating risk and improving IT security postures. Here are a handful of questions that were asked, along with a synopsis of answers received.

Q1: What is Your Biggest Obstacle to Improving Your Security?

The three most popular answers here were:

  • Lack of staff.
  • Lack of expertise/training.
  • Lack of budget.

CISOs really need to think hard before accepting a role that does not allow them to do their jobs properly. Staff, training, and money are all key elements to erecting a strong defense. Information security is touted as a number one concern for many organizations, but without these three components, a CISO cannot even bring in specialist information security consultants to assess the risk to business-critical assets and help CISOs formulate a cost-effective plan to prepare for disaster.

Q2: What Are Your Organization’s Top Issues Concerning Digital Threats?

  • Brand impersonation, abuse, and reputational damage.
  • Government and industry penalties associated with breach or non-compliance.
  • Phishing and malware attacks on employees and customers.

The answers to this question varied widely. CISOs, as we’ve established, have a lot on their plates to worry about, including compliance, cyberattacks, and reputational damage. Depending on the assets you need to protect, the industry you are in, and the regulations you need to follow, the priorities and focus will differ.

Q3: How Do You Measure Risk Within Your Environment?

  • Vulnerability scans.
  • System exposure analysis.
  • Nothing enterprise-wide yet.

Most respondents did not feel they had a proper handle on their risk posture. Sadly, making everything more difficult for the CISO, there is no out-of-the-box approach. We recommend CISOs bring in experts that will first listen carefully to your requirements before making recommendations. Simply performing a standard pen test to prove your vulnerability helps no one. Every organization and system is vulnerable somewhere.

It is key is to nail down a clear and specific information security strategy that fits your requirements and reduces your organization’s (and your personal) risk exposure. A risk assessment should always be tailored to what your organization must protect.

Q4: Why Do You Believe Your Most Valuable Information Assets Are Secure?

Almost every response we received to this question differed. Some said they chose to believe that they were secure, which was a bit shocking. One CISO, for instance, replied to this question with “Just do.”

Others admitted that they either had no confidence, or minimal confidence, in the security of their most valuable information, citing the aforementioned lack of money, training, or talent as one of the primary culprits.

We can only hope that organizational stakeholders are made properly aware of the situation. Stakeholders would be wise to pay attention when a CISO raises the alarm.

Conclusion

With October being National Security Awareness Month, the time is now to begin listing all the business-critical assets within your organization. Once you know what to secure from unauthorized access, you can build realistic disaster scenarios for stakeholders to help drive the problem home. The hope, of course, is that you get them to stump up the resources you need to do (and keep) your job.

Acknowledgments

We would like to thank Kevin Gorsline for providing insight and expertise that greatly assisted this research.

Kevin Gorsline is a Managing Director in J.S. Held's Global Investigations Practice who joined following J.S. Held's acquisition of TBG Security. For several years, Kevin served as the Chief Operating Officer and head of the Risk and Compliance practice at TBG Security, where he was responsible for providing the leadership, management, and vision necessary to ensure that the company had the proper operational controls, administrative and reporting procedures, and people systems in place to effectively grow the organization and to ensure financial strength and operating efficiency. His experience and leadership throughout his career have been focused on developing and delivering information security services and solutions, providing outstanding client service, and driving profitable revenue growth. Kevin brings established proficiency as an IT leader with extensive experience in risk and compliance services, applications development, and implementation projects both in the United States and abroad.

Kevin can be reached at [email protected] or +1 843 890 8596.

Find your expert.

This publication is for educational and general information purposes only. It may contain errors and is provided as is. It is not intended as specific advice, legal, or otherwise. Opinions and views are not necessarily those of J.S. Held or its affiliates and it should not be presumed that J.S. Held subscribes to any particular method, interpretation, or analysis merely because it appears in this publication. We disclaim any representation and/or warranty regarding the accuracy, timeliness, quality, or applicability of any of the contents. You should not act, or fail to act, in reliance on this publication and we disclaim all liability in respect to such actions or failure to act. We assume no responsibility for information contained in this publication and disclaim all liability and damages in respect to such information. This publication is not a substitute for competent legal advice. The content herein may be updated or otherwise modified without notice.

You May Also Be Interested In
Perspectives

Strategies to Avoid Cyber Insurance Claim Challenges: Part II

In Part II of addressing cyber claims challenges, we identify gaps in coverage and quick fixes for a smoother claims process....

Perspectives

Benefits of a Virtual Chief Information Security Officer (vCISO) in the Age of AI-Driven Cyberattacks

A Virtual Chief Information Security Officer (vCISO) can be a cost-effective solution to AI cyberattacks....

Perspectives

Cybercrime vs. Cybersecurity: Learning the Tactics of Criminals to Protect Your Interests

To safeguard our digital lives, both the "inside out" security approach and the “outside in” prevention approach are needed....

 
INDUSTRY INSIGHTS
Keep up with the latest research and announcements from our team.
Our Experts