Whichever way you look at it, the role of CISO is becoming an increasingly unattractive prospect. Whether it’s the sheer scale and variety of 24/7 threats facing businesses today, the complex compliance requirements that must be fulfilled, or the growing scrutiny of cybersecurity operations at board level, it’s almost an unwinnable position.
Plus, let’s not forget that the CISO is typically the first person to face the firing squad if a serious security breach does occur.
Despite this, the global demand for experienced CISOs has never been higher. Interestingly, we’re now in a situation where many CISOs simply aren’t ready to rise to the enormous challenge presented to them and in many cases, security teams are failing to effectively secure the interests of the business.
If organizations don’t start to give CISOs the proper support, training and recognition that they deserve, we might never be able to reverse the damage. The security industry has a major role to play here too and CISOs can easily help themselves be being seen as a more strategic and effective member of the executive leadership team.
CISOs should focus on strategy, not fire fighting
A longstanding over-reliance on ‘shock and awe’ reporting has resulted in the wrong stories being told. This leaves CISOs and the perceived value of the security team pigeon-holed into sub-ordinate roles to other C-suite members. Telling the board that “100,000 security attacks were repelled last month” sounds impressive the first time, but statistics like this do nothing to serve the longer-term interests of the business, they very seldom result in change, and only serve to reinforce the tactical perception of the CISO role.
CISOs and their teams must learn to tell better stories, focusing on prior security incidents and lessons learned from response. They must share for action, not for awe. The actions and observations of the security team must become the bedrock of organizational strategy.
Rather than just focusing on the number of attacks repelled (a statistic), security teams should share a short story, based on observed themes. This should appeal to a variety of audiences:
- Tell a story: “Over the past six months our security team has observed an increase in stolen and misused credentials, both from internal incidents and discovered accounts on the dark web. In the process of responding to the incidents, several gaps were identified that require ongoing attention and enterprise prioritization.”
- Make it clear this is more than an “IT” problem: “The manual password reset process and limited analytic and response tools caused significant abrasion for our clients and business operations teams. The slow time to respond and the repeated calls resulted in missed business SLAs, a contract penalty, and put one renewal at risk.”
- Include direct cost to the business: “The combined cost of the last seven incidents totaled £550,000 based on lost productivity, contract SLA penalty, and calls to the helpdesk alone. This does not represent the larger risk of a breach, if it were to occur.”
- Explain the root cause: “The majority of attacks tie back to desktop malware, resulting in stolen credentials of associates and our clients. Impact is made greater by limited response tools and the use of username and password only for our customer-facing sites.”
- What was required to fix or prevent it: “Five security personnel worked 500 hours; response was slow as it was difficult to manually piece together possible misuse of internal user credentials. It was difficult to assist customers with their account resets. Due to a lack of context, some clients had all accounts reset.”
- Required long-term correction: “For internet-facing sites, we can no longer depend on simple authentication; logging is insufficient in many areas; new tools are needed for analytics and response to cut down abrasion and exposure. The long-term fix will cost £650,000 and six months to reach full operation once funded. Each of these opportunities for improvement will be tracked in the board report, added to the GRC program within the risk organization and shared with the proper channels for legal and privacy. Due to the abrasion experienced on the renewal, my organization will present a recap of this issue at the next sales quarterly business review. It should be noted these risks add friction the areas that make money for our business, as a result the long term fix also intersects in a similar way – this is larger than IT.”
Reporting in this manner not only gives senior board members a more detailed understanding of security operations, it helps them understand how budget is being spent and where money can be saved with the right investments. Doing so makes the CISO role much more strategic, warranting a seat of their own at the board table, whilst also making it much easier to justify budget requests both now and in the future.
Stephen Moore will be speaking in the session "CISO's Getting Fired - The Future of Breach Accountability" in the Infosecurity Magazine Virtual Conference on 20th and 21st March. Register here.