The job of a CISO has never been easy, but in recent years it’s become particularly complex. Nowadays, a chief information security officer is responsible for everything from signing off on technical plans, through to cultivating a robust security culture. Now, more so than ever, CISOs need a mix of hard and soft skills to deliver for their organizations.
A modern security leader already has to perform a dizzying array of roles within an organization. They’re a first responder, a detective, a camp counselor and a life coach. They’re an insurance actuary, a lawyer, and a research scientist. To top it off they also have to be a charismatic visionary who builds alliances and wins hearts and minds, while also being prepared to dole out just the right amount of fear mongering. That’s a lot of arrows for one person to have in their quiver.
Any CISO or security leader who’s managed to stay vigilant, inspire new security professionals to grow, and endured this ever changing and complex threat landscape deserves kudos.
Yet there’s always more to be done. While executive leaders and boards of directors may understand the abstract risks posed by insufficient cybersecurity, they often fail to evaluate it the same way they do for more familiar factors such as credit, liquidity, and market risk. For CISOs, a holistic approach is needed to bring non-security business leaders onside, make the risk from cyber threats tangible, and ultimately build a more resilient organization.
Contents
The New Threat Landscape
We have seen an incredible increase in the velocity and fidelity of attacks over the past year. Although threat awareness is higher than ever, it’s being matched or exceeded by increasingly sophisticated attackers. Phishing and smishing attacks increasingly arrive without spelling errors, legitimate logos, and believable domains. Vulnerabilities are exploited at a pace that defies our patch management programs. Supplier and third-party compromises are happening faster than you can count.
Adversaries have once again upped their game in response to our continued improvements. With commodity level artificial intelligence and large language models at their fingertips, threat actors can effortlessly send communications that appear both professional and realistic.
As just one example, we’ve seen how the emails of a supplier can be compromised, allowing threat actors to send a legitimate-looking invoice from the correct email domain. How do you train your employees to be suspicious of a normal correspondence from the correct email address?
With geopolitical tensions across the globe at critical levels and sanctions increasing daily, nation state-backed adversaries are focused on scale, automation, and operating efficiencies to get the most cryptocurrency possible and shore up starved economies.
In this high-stakes security climate, it shouldn’t be surprising that the role of the CISO has expanded so much, and that there is still work to be done.
Use a Holistic Approach to Create Resilient Organizations
The way to ensure your organization can survive and thrive in this changing environment is with increased resilience. But CISOs cannot simply throw technology at the problem. We often see solutions deployed without setting up the foundational infrastructure or without supporting their staff through training. Instead, a more holistic approach is needed — one that covers people, processes, and technology while focusing on a culture of prevention and response.
That means training staff across departments to recognize phishing and other social engineering attacks, and it means getting security teams visibility into what’s happening across an organization. Collaboration doesn’t just need to happen at the tech level, but also from a people perspective so suspicious activity can be followed up on and potential threats identified.
CISOs should be prepared to take a step back to assess and prioritize critical systems using Risk Management processes. Focus on the most critical systems to apply limited resources to so you can use your budget as efficiently as possible.
The goal should be to build a living, modular roadmap that you can continue to adjust over time, as you rapidly swap out initiatives based on new threats. Try to create a comprehensive program before you go about buying tools. The tools, processes and approaches will change but the overall method for implementation has a longer shelf life. This will allow you to smoothly deploy and manage people, technology and processes regardless of the current fad.
With all that said, taking a holistic approach doesn’t mean your organization’s entire cyber infrastructure should be treated as one. Indeed, it often makes sense to create “watertight” separation and containment options like a submarine bulkhead so that only one part of your business is “flooded” in the case of a breach.
Attempting to get a holistic program off the ground is an intimidating prospect, and it can feel much more approachable to proceed one department or business unit at a time. NIST’s Cybersecurity Framework (CSF) can be a good place to start. Focus on the core functions of “Respond” and “Recover” at first. Once you have organizational competency in these then move on to “Protect” and “Detect.”
Security Is an Enterprise-Wide Effort
In this new era of cybersecurity, building relationships and partnering with their peers will be a CISO’s top priority. Investing in and nurturing these skills is imperative. In challenging times, business continuity and operational success will depend on it.
Ultimately, security is not the responsibility of the CISO alone. Security has become intrinsic to every aspect of an organization’s operations and risk management, and so everyone must understand and be accountable for their role in it. But someone has to lead this change, which means it’s time for CISO’s to add yet another arrow to their quiver.