Being a chief information security officer involves juggling a lot of variables, from anticipating the next ransomware threat to justifying yearly budget requests to making sure staffers are properly trained.
Here are the top risk-related challenges that a CISO may face, along with ways to meet those challenges head-on and to interface with other CISOs who may be encountering similar issues.
1. Communicating with stakeholders.
The job of chief information-security officer is different from every other position in the executive suite. It can often be difficult for a CISO to explain in plain English to other members of the leadership team why more staff needs to be hired, why existing staff members need additional training, or how important certain types of threats are.
"CISOs face a unique hurdle in that they are often the newest C-suite executive in the room during meetings of the senior leadership team, and they are reporting on a sector of the business that is often the least understood," wrote risk-assessment firm AuditBoard in a February 2022 blog post.
Such miscommunication can have grave results. Undertraining of security teams or failure to pivot to new defense tactics can raise the risk of adverse incidents such as data breaches or ransomware attacks.
Yet the CISO needs to make the case to proactively defend against attacks rather than reactively implement such measures only afterwards. If you're a CISO, you never want to be fighting the last war instead of the one to come — but it can be hard to make that case to the board.
The solution is to learn to speak the language of the C-suite and the board and to look the part. CISOs who have risen through the ranks of security teams may need to adjust their fashion sense, mannerisms and conversational skills accordingly to better "fit in" with the suits.
More importantly, CISOs will need to learn to communicate with other executives on their own terms. Instead of dwelling on technicalities, present your requests and your needs in terms of known performance indicators (KPIs) and measurable goals. Explain that attacks your organization hasn't suffered are nonetheless quantifiable risk and should be part of the overall risk profile.
"The most successful CISOs are able to quickly explain their area to peers and also provide data that's helpful and informative to the rest of the business," wrote AuditBoard.
2. Fighting the budget battle.
Most of the leadership team probably has MBAs and understands the language of business. You may have a CISSP and think in terms of cybersecurity threats, risks and mitigations. Yet you need to convince the C-suite and the board to boost your budget, buy new tools or beef up your security team — all to thwart hypothetical attacks that the rest of the executives may have never heard of.
"In success, companies fund required CISO-led security initiatives and then never see exactly why they needed that security," wrote AuditBoard.
The way to get your budget requests is, once again, to use KPIs and measurable numbers, but also to add cybersecurity to the company's business risk profile, using probabilities that fellow executives can understand.
Show how mean time to respond would be greatly reduced by switching from EDR to XDR, or how much the organization would save by moving from perimeter-based security to SASE/SSE. Spare the technical details and talk about dollars and cents.
"Stakeholder engagement is particularly important for CISOs," wrote the British Standards Institution in an August 2019 white paper. "Keeping board members regularly updated about information, security related business risks, active budget engagement and realization of benefits is all crucial to getting widespread buy-in."
3. Keeping your staff happy and up to date.
Staff retention is a constant headache for CISOs, especially those in larger organizations, as talented security-team members are always at risk of being poached. An undermanned, underskilled security team is a quantifiable risk that can be mitigated.
You want to give every valued member of your team reasons to turn down recruiters. Here are a few methods:
— Make certain your security staffers are paid fairly. You may not be able to match every salary offer they get, but you definitely don't want them to feel underpaid.
— Present them with clear paths to career advancement, such as opportunities to become team leaders or even, well, be ready to take your job.
— Check to be sure they're not burned out. Fighting cybersecurity threats can take a psychological toll on defenders, and you want to have enough staffers so that the workload is distributed in human amounts.
— Give them opportunities for professional development, especially regarding training and education. Each security staffer is aware of the importance of keeping up with the latest threats and techniques, both to do their own job properly and to be hirable if opportunities elsewhere arise.
4. Keeping yourself educated.
It isn't just security staff members who need to keep abreast of the latest threats, compliance regulations and industry developments — their leader does too. A CISO who isn't constantly learning new things is falling behind, and the entire organization's risk profile may suffer as a result.
"CISOs face evolving cyberthreats and need to educate themselves, their security teams, and all relevant team members on how to protect against existing and any new data breach threats," wrote AuditBoard.
Don't assume you know everything just because you're the CISO. Take training seminars, attend conference presentations, read white papers and keep up with the latest industry and regulatory standards.
Most importantly, connect with other CISOs, both in your industry and outside of it, to trade knowledge and experiences. Use networking organizations such as the Cybersecurity Collaborative, which is developing new risk-assessment standards, or the Cybersecurity Collaboration Forum, which facilitates the sharing of information among like-minded security team leaders. A crowd of peers will always know more than a single individual can.
5. Sharing what you know.
Once you've learned how to communicate with other members of the organization leadership team, use those skills to talk to the rest of the company. Organize seminars using next-generation training methods, including short, frequent sessions and dynamic team exercises. Human error is often the biggest cybersecurity risk factor facing an organization and spreading your security knowledge will only help lessen your risk profile.
"Underpinning all the challenges facing the CISOs is the requirement to create a culture of security awareness within the organization," wrote the British Standards Institution. "The more people understand it, the better equipped your organization will be."