The CISOs of Today: Grappling With Increasing Responsibilities (CISO Chronicles Part 2)
Today, CISOs are strategic thinkers, shaping their company's cybersecurity approach amidst new challenges like increased technical autonomy among workers, remote work dynamics, and talent shortages.
Now that CISOs have settled on security being first and foremost among their priorities, they face a tricky perception challenge: They're the ones urging caution when everyone else is charging toward the latest tech and business trends.
They’re the voices of reason, balancing the need for tight cybersecurity with the company's ambitious plans.
For CISOs, it’s all about finding that sweet spot where security meets innovation, coordinating across the entire organization, and bridging gaps between departments and external partners to fortify cyber defenses.
Let's delve into the expanding responsibilities of today’s CISOs in this constantly advancing landscape.
Table of Contents
As SaaS technology and advanced tech solutions become easier to access, everyday workers have been given more autonomy in solving their own issues. The problem is that these homegrown solutions may not be as secure as they think it is – giving CISOs cause for concern.
“Shadow IT” refers to the use of software, applications, or services without the knowledge or approval of the IT and security departments in an organization. This can include anything from unapproved SaaS applications to unauthorized hardware devices.
Here's why it's a significant and growing concern for CISOs:
Problem with Shadow IT
Why it’s significant
It lacks oversight and security controls
Shadow IT is implemented without the IT department's knowledge, so it often lacks necessary security measures, like regular software updates and patches.
An employee might use an unapproved project management tool from the internet. While it offers convenience, it could be missing security updates, leaving the entire network vulnerable to malware or data breaches.
It puts an extra burden on CISOs.
Tools and applications that aren’t under a CISO’s purview can create blindspots that inevitably lead to headaches later on.
If a department starts using an unauthorized cloud storage service to share files, this could bypass the established security measures. Such services might not meet the organization’s data protection standards, leading to data leaks or breaches and adding more to the CISO’s plate.
It has compliance and regulatory risks.
Shadow IT can also lead to non-compliance with regulatory standards, as these tools might not meet the required security protocols.
For example, a team might start using an unauthorized file-sharing application that does not comply with GDPR or HIPAA regulations for data protection. This could result in the organization inadvertently violating privacy laws, leading to legal issues and potential fines that the CISO could be held accountable for.
In essence, the role of the CISO is not just to protect the organization from external threats but also to manage internal risks, including those posed by Shadow IT. They must work to detect these unauthorized tools, assess their risks, and either integrate them securely or remove them.
This is a challenging task requiring the balance of security with the needs of employees who may turn to Shadow IT for more efficient or convenient solutions.
Traditionally, CISOs primarily focused on securing a relatively controlled and centralized IT environment, typically within the physical confines of an organization's premises.
This involved managing security within office networks where employees worked from company-provided devices and accessed resources through a secure, internal network.
However, the practice of remote work has been growing gradually since the early 2000s, only to explode in popularity because of compliance measures caused by the COVID-19 Pandemic in early 2020. Even when lockdowns eased and the pandemic came to a close, the convenience and affordability of remote work proved significant enough for it to remain widespread.
With many companies shifting the bulk of their workforce to remote/hybrid work, the days of CISOs having complete control over their company’s network were over.
Now, CISOs must secure a more dispersed and varied environment where employees access the company's network from multiple locations and less secure public networks, such as shared home networks or coffee shop Wi-Fi.
The challenge has expanded from securing a centralized, controlled environment to ensuring the security of a distributed workforce operating in multiple, often unsecured locations. In fact, 72% of surveyed CISOs believe remote work is dangerous for their company’s security.
With everyone working from pretty much anywhere, it's now crucial to double-check who's who in the virtual world. However, effective authentication measures remain an issue CISOs are still struggling with.
As the digital workplace extends its reach, the adoption of solutions like SASE (Secure Access Service Edge) is climbing, predicted to be part of over 50% of organizations' strategies by 2025.
This uptick reflects a shift toward a more holistic approach to security – integrating policies that cover not just who but how and why access is granted, ensuring a seamless and secure experience for all legitimate users.
Businesses aren’t the only organizational entities in need of tight cybersecurity and the right leaders to manage it. CISOs have been increasingly employed by governments on the local and federal levels to aid in the defense against malicious actors.
All 50 states in the United States now have a state CISO that reports directly to the state governor and legislature. Each year, many state CISOs are granted even more authority and funding for initiatives that will better protect sensitive government data.
These state CISOs have a lot of pressure and a lot more risk than your ordinary corporate information security officer. Rather than protecting a company’s profits, they’re protecting their state’s financial reserves. Rather than guarding customer data, they’re guarding the personal data of their entire state’s population.
Without government CISOs, it’s entirely possible that our most fundamental institutions would be at the mercy of criminal hackers – or, worse yet, state-sponsored hackers engaging in cyber warfare.
In addition, the government’s relationship with CISOs extends beyond hiring them directly.
Often, government agencies like the FBI or NSA cooperate with CISOs of private companies when they have intel about impending or ongoing cybersecurity attacks, allowing the CISO to be ahead of the curve with information otherwise unavailable to private citizens.
This means that when it comes to especially dangerous cybersecurity attacks, CISOs can be dependent on the exclusive tools government agencies have to offer. The side effect of this is that CISOs are especially concerned with national security debates within legislative politics.
For example, Section 702 of the Foreign Intelligence Surveillance Act (FISA) allows government agencies to wiretap international individuals using American service providers. Using US service providers from outside the US in this way typically means they’re hacking into them unlawfully.
Section 702 has proven highly successful in intercepting cybercrime, and it has been invaluable to CISOs when government agencies use it to inform them of an imminent cyber attack on their company.
However, Section 702 was set to expire at the end of 2023, and if it had, CISOs would have been deprived of another tool to help them protect their companies. Fortunately, Congress negotiated a renewal of Section 702 with added provisions to prevent it from being abused.
Although Section 702 lives on another day, it only demonstrates how important it is for CISOs to have every tool possible at their disposal. A single law can be just enough to deprive a CISO of precisely what they need to save the day in a given situation.
CISOs are navigating a talent desert, with a reported global shortage of 2.7 million cybersecurity professionals, making it tough to fill the ranks and shield organizations from threats.
But why is talent so hard to find? Let’s explore a few key reasons.
- Rapidly evolving field: Cybersecurity is a fast-evolving field with continuously emerging new threats and technologies. This pace of change requires professionals to be highly adaptable and constantly learning, which can be a daunting prospect for potential candidates.
- Skill-specific requirements: Many cybersecurity roles require highly specialized skills and knowledge. The specific and technical nature of these skills means that there are fewer qualified candidates available.
- Increase in cyber threats: As the number and complexity of cyber threats grow (especially via third parties), the demand for cybersecurity professionals is increasing rapidly, further exacerbating the talent shortage because the supply of skilled professionals hasn't kept pace with growing demand.
- Lack of awareness and education: There is often a lack of awareness about cybersecurity as a career path among students and job seekers. Additionally, educational institutions don’t always offer the specialized training needed to prepare individuals for these roles.
- High industry standards: The standards and expectations in cybersecurity are high, often requiring significant experience and certifications. Entry-level positions in this field may still demand considerable experience, creating a barrier for newcomers.
- Burnout and high turnover: The high-pressure environment of the work can lead to burnout, contributing to high turnover rates in the industry. According to ISACA, 55% of cybersecurity professionals experience work-related stress at least half of the time, and 21% consider leaving due to this stress.
Despite this challenge in talent sourcing, companies are making efforts to bridge the gap.
Some vulnerable companies, for example, have turned to external vendors to outsource their cybersecurity work. This approach allows them to quickly strengthen their cyber defenses, especially during periods of extensive updates to their cybersecurity measures.
The modern-day CISO's playbook includes not just hiring and outsourcing but also re-skilling the current workforce to meet evolving cyber needs.
Even when no new cybersecurity experts are available, it’s not a bad idea to take an exceptionally bright programmer and begin training them on cybersecurity 101. Many employers may be surprised how much faster an employee can learn on the job than their entire college education.
CISOs are in a bit of a reporting pickle: Should they report directly to the big boss – the CEO – or elsewhere in the corporate hierarchy?
While the CEO is powerful, they may have particular biases and may not have the technical knowledge to understand the gravity of the CISO’s report. And it's not just about climbing the corporate ladder; it's about placing cybersecurity at the top table where big decisions are made.
According to the 2023 Global CISO Survey, the reporting structures for CISOs vary based on the type of company.
In privately held companies, more than half of CISOs report to the CEO or Senior Engineering Leaders. By contrast, in publicly traded companies, more than half of the CISOs report to the CIO.
There certainly are situations where a CISO’s decisions might conflict with the CEO’s desires.
For example, a CISO may advocate for strong multi-factor authentication and restricted access controls to protect sensitive data. The CEO might be concerned that these measures could hinder employee productivity or the customer experience.
If the CISO reports directly to the CEO, they might receive pushback on these necessary security protocols that conflict with the CEO's broader business objectives or priorities.
Some advocates for a direct line to the CEO argue that cyber risks are too critical to be diluted down the chain of command.
Yet, some CEOs may be reluctant to juggle the complex technicalities and potential conflicts that come with the territory, preferring to view cyber risk on par with other managed risks and not as a unique beast that requires special attention.
But here's the thing: If the CISO is playing a game of broken telephone with the CEO due to communication barriers – say, too much tech jargon or a lack of business risk translation – that's a red flag.
It's on the CISO to speak the language of the boardroom, making cyber threats as understandable as market risks or financial forecasts. If they can't do that, perhaps it's not the reporting structure that needs a rethink but the CISO's approach.
After all, clear communication is key to ensuring management can make informed decisions on whether to dodge, tackle, or simply shrug off those cyber risks.
Final Thoughts on the CISOs of Today
CISOs need to be the voices of reason in the boardroom, balancing the corporate need for tight cybersecurity with ambitious growth strategies.
To rise to the occasion and lead companies to safer waters, they face five pivotal challenges:
- Tussling with shadow IT practices
- Securing hybrid and remote working conditions
- Partnering with government
- Responding to talent shortages
- Navigating the chain of command
But what does the future have in store?
To find out, jump to Part 3 of this series (or bookmark it for later).