The CISO Pressure Cooker
Evolution of the Role Leaves CISOs on the Hook and Still Fighting for a Seat at the Table
Nearly 30 years ago, in 1994, the financial services multinational Citicorp was hacked by cybercriminals. At that time, the company decided to take the bold step of creating a new C-level position to reinforce it against future attacks. This significant milestone marked the birth of the Chief Information Security Officer, also known as the CISO.
Since then, the role of the CISO has evolved significantly. In the beginning, CISOs owned an organization's information and data security responsibilities. They were regarded as technical experts but were not generally consulted on business decisions. But over the years, as cybersecurity became bigger than an IT headache, the CISO role advanced.
In just the last few years, the role of the CISO has become more commonplace, and their strategic value to the business has become increasingly evident to stakeholders. As a result, CISOs have truly earned a seat at the table with other C-level executives and business leaders.
However, being viewed through a new lens means that CISOs face new responsibilities. Because they are critical to the entire company's success, they must tie their work to the more significant needs of the business. For example, they need to map security strategies to meet new challenges head-on, while also lending their expertise in support of key business objectives.
Advancing Cyber Issues Means Bigger Challenges
In recent years, companies everywhere have experienced the escalating threat landscape and unprecedented security challenges. As a result, today’s CISOs are facing a number of difficult issues.
For starters, there seems to be no way to stop the struggle of keeping up with constantly shifting priorities. Typically, a plan is set, but as the threat landscape evolves and new attacks occur, CISOs are left to figure out how to pivot accordingly while still maintaining control.
Next on the list of challenges is how to effectively demonstrate justification for the budget needed to protect the business. Budget justification is always tricky as the business climate demands that all organizations ‘do more with less.’ Given this unavoidable crunch, some CISOs recommend first spending time to deeply understand the company and where cybersecurity fits into the business model before deciding where to prioritize spending. CISOs also know that program areas where it is difficult to estimate and measure the impact of cyber risk reduction efforts, like training and development, are the hardest to justify.
After passing the budget justification hurdle, next comes the potentially more difficult task of validating ROI on programs, technologies, and overall security strategy. Alignment is the key. In order to demonstrate ROI to the company’s executive team, CISOs need to consider projects enterprise-wide, not just those within their department. Establishing an information security connection and assigning value to projects and solutions will enable CISOs to share the quantifiable results of their data protection strategies.
Finally, we must not overlook the daily struggle of navigating the overwhelming influx of technology vendors vying for a spot in the security stack. In order to deal with the constant barrage, CISOs need to step back and evaluate their unique threat landscape and consider whether they need to consider new solutions. If so, filtering out the noise to find the right solutions may be hard, but important in building the right security strategy.
All Eyes on The CISO
The buildup of challenges and risk invariably leads to greater pressure on today’s CISO. The stress extends beyond the office, as CISOs can be assigned personal responsibility for the potentially enormous repercussions to the company if something goes wrong. After all, if there is a damaging breach, the CISO is left holding the bag. Look no further than the conviction and guilty verdict of Uber’s former CSO last fall to know that the personal risk is real. Because CISOs can be charged and legally implicated for damages, it's essential that they know how to protect themselves. Lawyers have advised CISOs to not enter into employment contracts blindly when joining a company. Lawyers have even gone so far as to advise their clients to consider requests for alternate titles, such as VP of Cybersecurity, which may provide protection from being part of the C-suite.
All of this leaves today’s CISO simultaneously in defense of and potentially at odds with their own company and executive team. According to a report by FTI Consulting, 85% of CISOs say that the prominence of cybersecurity on the board’s agenda has increased over the last 12 months, with 79% feeling heightened scrutiny from top leadership. It goes on to state that the lack of executive leadership understanding the role CISOs play in the organization (55%) prevents CISOs from articulating critical priorities. 53% also say their cybersecurity priorities are not completely aligned with C-suite leadership.
For more information on how Atakama can help CISOs navigate the technology landscape for unrivaled data protection, visit www.atakama.com