In the past decade, every CISO knew the question awaiting them in the boardroom: Can we survive the next cyberattack? Now, as the turbulent 2024 draws to a close, the concerns have multiplied, says Don Gibson, the CISO at Kinly. Board members are often asking: Can we survive these economic times? Or are we prepared for geopolitical storms?Intensifying global conflicts, economic instability, and a surge in new regulations have put pressure on CISOs and their organizations. Today, chief information security officers have to manage an array of issues”, often with limited resources at their disposal.Tight budgets, competing priorities, and the ongoing struggle to attract and retain skilled talent are among the hurdles CISOs face in their effort to secure organizations, according to a recent survey by Foundry. Other challenges include low employee awareness and training, as well as organizational and cultural barriers, all of which can hamper their ability to be effective.While doing more with less has always been part of the job, today’s pressures call for a bit of a rethinking.”Adjust your expectations,” says Gibson. “There’s always an option.” From an organization-wide perspective, cybersecurity often sits low on the priority ladder because it doesn’t generate revenue directly. Avishai Avivi, CISO at SafeBreach, compares it to insurance: “You prefer not to pay for it, but you’re happy when you need it and have it.”With limited resources and an ever-growing list of threats, CISOs are often caught managing multiple projects at once. Some of these might move forward bit by bit, but without clear milestones or measurable progress, it’s difficult to show their real impact. This makes it harder for CISOs to secure extra funding or support, especially when stakeholders can’t see solid, tangible results.”That makes it almost impossible to show meaningful success,” says John Terrill, CSO at Phosphorus. “A lot of times, this can come from trying to boil the ocean.”Many CISOs recommend learning to “speak business” and occasionally scaring the board to get more funding, but these can only go so far. “The company has a finite amount of resources; you need to make peace with that,” Avivi says.In such a situation, CISOs have to get strategic about which risks to tackle first. It’s all about figuring out what needs urgent attention versus what can stay as-is for now.Automated tools can also be of great help, especially for smaller companies that can’t afford large, dedicated security, compliance, and data privacy teams. “Organizations must implement and take advantage of automated GRC solutions that help with combining risk, compliance monitoring, vulnerability monitoring and intrusion detection,” says Metin Kortak, CISO at Rhymetec.
Juggling priorities
When faced with a long list of priorities but only so many resources, creating a clear set of risk appetite statements can be a game-changer. It helps define what level of risk the organization is willing to accept, making it easier to decide where to focus efforts and resources.”Aligning both the workforce and the organization’s leadership around risk appetite helps tremendously to focus your energy and your dollars in the places that most need them,” says Ken Deitz, CISO at Secureworks. “If an organization has a stated risk appetite for security risk, the priorities start to jump off the page.”CISOs should be open about the risk the organization will take if their priorities are not addressed. “This presentation needs to be in business-relevant terms,” Avivi says. “Just telling the CEO and the board that we must pass a SOC 2 Type II audit doesn’t carry the same weight as informing them that our customers demand a clean SOC 2 Type II certification for any new sales to close.”Gibson also supports this approach. “You own your strategy, so you make the decisions on priorities. If the board wants you to change them, then they can own the risk and educate you why this is more important.”
Building a culture of security across the organization
Some priorities might be up for debate, but one thing isn’t negotiable: building a strong security culture across the organization. Well-meaning employees who are simply curious or just want to help may click on a phishing link or mishandle sensitive information, opening the door to threats.To address this, proactive training is essential. “Organizations need to invest in up-to-date cybersecurity training and use artificial intelligence and machine learning to simulate real-time cyberattacks,” says Kortak. “Employees must be given hands-on experience in responding to threats to ensure they understand theoretical concepts and can apply practical skills in real-world scenarios.”At the same time, staying secure should be straightforward, it needs to feel like a natural part of doing business. “I try to lead with the philosophy that doing the right thing should be easy,” Deitz says. “If complying with an organization’s security processes are complicated and byzantine, you will never be successful.”For example, implementing a passwordless FIDO2-based authentication system will make the organization more secure and reduce complexity for employees while removing the requirement to remember unique complex passwords, Deitz says.Security training should include everyone, even those in technical roles, particularly in companies where IT is central to the business. “IT engineers are trained to deliver functional products, an app, a network, etc., not a secure product,” says Dimitri Chichlo, CSO at BforeAI. “CISOs who fail to address this issue holistically risk creating a vulnerable human layer within their first line of defense.”
Overcoming organizational and cultural barriers
The CISO’s job can get challenging when organizational and cultural barriers come into play. Security teams, for example, can feel frustrated or discouraged when they’re unable to perform at their best due to factors beyond their control. And other teams may often need information on why it’s important to support cybersecurity-related projects that don’t offer immediate results.To address this issue, Avivi adjusts his message, aiming to connect with each team in a way that really resonates with them. “For example, developers will freely acknowledge that fixing a security bug proactively and at their own pace is much easier than having a customer screaming at them when the bug is now a breach that you must drop everything and fix,” he says. “As a CISO, you must understand their needs and context and how your program impacts them.”Many organizational and cultural barriers can be overcome through communication and collaboration. “Spending time and energy on managing relationships and building confidence with your fellow leaders is never wasted energy,” Deitz says.
Winning the talent game
With the talent gap still affecting cybersecurity, CISOs must be smart about building and keeping a skilled team. Often, cybersecurity experts can be more difficult to replace than developers, and this process takes time and money.”For some roles like engineering, employees can and often start working on day one,” Kortak says. “When a new cybersecurity employee is hired, they must gain historical knowledge about the company and be trained to learn the past frameworks and security policies that the previous person put in place.”When hiring, Deitz recommends that organizations prioritize enthusiasm and work ethic over technical knowledge and experience. “Leaders should consider training people to do the job as a better investment than paying for the most experienced candidate on the market,” he says. “The best security performer is almost always the one you train from the start.”Employees are often more likely to stay with a company if they feel they have opportunities for growth. It is why giving them reach goals and “providing upward mobility” is key, says Terrill. And so is managing their workload. As Howard Taylor, CISO at Radware put it, “without the ability to add more staff and tools, the workload for CISOs and security teams continues to grow exponentially, increasing the risk of burnout.”To prevent that, CISOs should look after their team and allow them to take a break every once in a while. That’s exactly what Gibson did on a sunny day after a month of bad weather. “I brought them into an urgent meeting and told them to get off their machines and get outside for an hour. Feel the sun. Breathe the fresh air,” he says. “They still talk about it.”
Regulations, AI, nation states derailing CISOs’ plans
There are also other issues CISOs have to deal with. One of these is related to the rapidly evolving regulatory demands. “Regulators all over the globe are starting to assert more control around what they want to see with security programs within businesses, and as a result, regulatory compliance is being prioritized highly,” Deitz says.AI is also changing the game. There is a massive rush to embrace AI technologies in multiple layers without completely understanding all the implications, according to Avivi. “Related to it is the whole topic of deepfakes, which amplifies malicious actors’ ability to successfully execute social engineering attacks against your most vulnerable assets, your employees.”Terrill also worries about attacks sponsored by nation states. “This is starting to change a lot of priorities to take a look at zero trust, micro segmentation, OT/IoT defense, and other strategies thought to be more advanced,” he says. “That’s in the backdrop of a lot of industry groups pushing back on CISA’s reporting requirements in CIRCIA. So, there’s a desire to improve security but not much desire to report incidents.”In light of all these pressures, Gibson recommends CISOs to remember that they are human and should try to look after themselves. “Remember that your job doesn’t love you,” he says. “It’s fine to love your job like I do, but if you are neglecting yourself and can’t continue for any reason, yes, people will be sad, but your job will be getting filled in a few weeks. Your job doesn’t love you.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3609884/top-challenges-holding-back-cisos-agendas.html
