Be honest – how many of you CISOs out there are relying on a kind of “fingers crossed” approach when it comes to protecting your most valuable organizational assets?
If you are nodding quietly in answer to this question, you’re not alone.
We get it. The role and responsibilities of the CISO have changed dramatically since the role’s inception in the 1990s.
20 years ago, CISOs were focused on securing and defending the network perimeter. This meant ensuring firewalls were configured properly, vulnerabilities were patched, and anti-virus software was up to date.
Boy, has the role changed… The responsibilities have grown almost exponentially. I think this remark describes the evolution rather well:
“The role is almost a unicorn – technical, but with people skills. Executive-level, but with project management capabilities. Laser-focused prioritization, but with broad overview knowledge and understanding.”
Today’s CISO needs to be intimately acquainted with all the regulatory requirements pertaining to their industry, geography, and data sets. They need to safeguard the vast amounts of sensitive data, identify and block all IT security threats – whether originating internally or externally – and ensure staff has the knowledge to spot and block sophisticated social engineering attempts.
And we haven’t even touched upon the sheer complexity of today’s network infrastructure and the myriad systems, apps, and devices they are expected to keep securely available for authorized users.
Reading this, it occurs to me that CISOs who’ve adopted a "let's-pray-we-don’t-get-it" strategy are not just putting the company, its business partners, employees, and customers at risk, there is also the huge personal risk of being fired or “appropriately reassigned.” A CISO is a perfect scapegoat here.
And for every fair dismissal or reassignment, I’m willing to bet there is a smart, hard-working, well-intentioned CISO that gets caught in the crossfire, simply because of his or her job title.
Recently, at a SecureCISO Boston conference, we asked attending CISOs a number of questions around mitigating risk and improving IT security postures. Here are a handful of questions that were asked, along with a synopsis of answers received.
The three most popular answers here were:
CISOs really need to think hard before accepting a role that does not allow them to do their jobs properly. Staff, training, and money are all key elements to erecting a strong defense. Information security is touted as a number one concern for many organizations, but without these three components, a CISO cannot even bring in specialist information security consultants to assess the risk to business-critical assets and help CISOs formulate a cost-effective plan to prepare for disaster.
The answers to this question varied widely. CISOs, as we’ve established, have a lot on their plates to worry about, including compliance, cyberattacks, and reputational damage. Depending on the assets you need to protect, the industry you are in, and the regulations you need to follow, the priorities and focus will differ.
Most respondents did not feel they had a proper handle on their risk posture. Sadly, making everything more difficult for the CISO, there is no out-of-the-box approach. We recommend CISOs bring in experts that will first listen carefully to your requirements before making recommendations. Simply performing a standard pen test to prove your vulnerability helps no one. Every organization and system is vulnerable somewhere.
It is key is to nail down a clear and specific information security strategy that fits your requirements and reduces your organization’s (and your personal) risk exposure. A risk assessment should always be tailored to what your organization must protect.
Almost every response we received to this question differed. Some said they chose to believe that they were secure, which was a bit shocking. One CISO, for instance, replied to this question with “Just do.”
Others admitted that they either had no confidence, or minimal confidence, in the security of their most valuable information, citing the aforementioned lack of money, training, or talent as one of the primary culprits.
We can only hope that organizational stakeholders are made properly aware of the situation. Stakeholders would be wise to pay attention when a CISO raises the alarm.
With October being National Security Awareness Month, the time is now to begin listing all the business-critical assets within your organization. Once you know what to secure from unauthorized access, you can build realistic disaster scenarios for stakeholders to help drive the problem home. The hope, of course, is that you get them to stump up the resources you need to do (and keep) your job.
We would like to thank Kevin Gorsline for providing insight and expertise that greatly assisted this research.
Kevin Gorsline is a Managing Director in J.S. Held's Global Investigations Practice who joined following J.S. Held's acquisition of TBG Security. For several years, Kevin served as the Chief Operating Officer and head of the Risk and Compliance practice at TBG Security, where he was responsible for providing the leadership, management, and vision necessary to ensure that the company had the proper operational controls, administrative and reporting procedures, and people systems in place to effectively grow the organization and to ensure financial strength and operating efficiency. His experience and leadership throughout his career have been focused on developing and delivering information security services and solutions, providing outstanding client service, and driving profitable revenue growth. Kevin brings established proficiency as an IT leader with extensive experience in risk and compliance services, applications development, and implementation projects both in the United States and abroad.
Kevin can be reached at [email protected] or +1 843 890 8596.
In Part II of addressing cyber claims challenges, we identify gaps in coverage and quick fixes for a smoother claims process....
A Virtual Chief Information Security Officer (vCISO) can be a cost-effective solution to AI cyberattacks....
To safeguard our digital lives, both the "inside out" security approach and the “outside in” prevention approach are needed....