Cyberthreats persist despite investments in cybersecurity solutions and talents. What are CISO’s to do?

Many CISOs today may find themselves – and their cybersecurity teams – struggling in a thankless role today.

After years of investments in cybersecurity solutions and talents, organizations today still face a growing threat from the likes of ransomware, supply chain attacks, DDoS attacks etc.

Are they in danger of losing credibility with board directors and CEOs? Or worse – are they at risk of losing their jobs?

CybersecAsia discusses the looming challenges CISOs face today with C. K. Chim, Field Chief Security Officer. APAC, Cybereason.

Despite increased investments in cybersecurity and greater awareness within organizations concerning cyber threats over there last few years, incidents such as ransomware and supply-chain attacks have not abated, seemingly growing in frequency and scope. What are the likely implications for the CISO and the cybersecurity team in an organization?

Chim: If a breach occurs, it’s too late for strategy. The strategy should exist and be implemented long before the breach occurred, and it should include detailed plans of what to do in the event of a breach.

These strategies should be trained, drilled, and practiced across the organization. Before, during and after a breach is where strategy and its execution are put to the test. Prepare for war in peacetime, not after the invasion has begun.

Having a ‘checklist’ may not be sufficient, thus CISOs need to always assess key capabilities especially when the adversary appears in the digital battlefield. By doing so, CISOs and their teams will be able to see these threats and respond in time.

How do CISOs answer to the boardroom and other C-suite executives when it comes to planning for cybersecurity budgets?

Chim: What matters most is alignment and regular dialog with stakeholders across the organization on all matters.

Opening a new office? Security should be in the room. Starting a new department? Bring security. Designing a new solution? Bring security.

Cybersecurity isn’t just a “me too” issue. It’s about security not always being seen as the department of “no”, but about knowing and being part of the business, and not an external appendage. Internally, CISOs should reduce spending on older solutions and equipment making purchasing their best friend. Pay less for commodities that can be had anywhere. Use the money to modernize people, processes and tools in partnership with the CFO.

It’s encouraging to know that 88% of companies globally believe that they have the right talent to protect their organizations from ransomware. With a competent team and effective tools behind them, CISOs can sell hope instead of fear in the boardroom, especially on how cybersecurity can become a key business enabler and competitive differentiator.

Are CISOs still important to companies if their effectiveness is questioned? 

Chim: There’s a myth that there’s a pristine role called CISO and that problems with how it functions are a result of degradation from that ideal. The truth is the opposite: the CISO role has been clawing up and struggling for equality with other C-level positions. It’s the newcomer in the C-suite, and the formula is far from clear.

The biggest problem today in security isn’t about any threat or bad actor; it’s the gap between security and the business. Residual risks are created when expectations are formed for the CISO to rein in business decisions and keep them under control. While there are incompetent CISO’s who have backslid, it’s far more common to say that CISO effectiveness is poor because they are the new entrant into a company’s risk equations and corporate politics.

The solution, here, is that CISOs need to become better businesspeople, and their counterparts need to help bridge the gap.

What then should be the role of the CISO in this cybersecurity landscape? What should be the KPIs?

Chim: We know that the role of a CISO is technical. They understand security and they have been living and breathing it all their lives.

Now, they need to find lieutenants, give up being the smartest security mind in the room and bring the department what it most needs: a relationship with the board, integration with peers, a voice in business discussions, an understanding of logistics and the real C-level sponsorship that isn’t seen to be the hobbyist lingering at the edge of the C-level offices.

How can CISOs be more effective in contributing to the overall business operations and continuity, while fighting for more budgets/investments after a cyber-attack?

Chim: CISOs need to build a talented team, stop thinking in terms of products and instead in terms of capabilities, make friends outside IT and DevOps, and become the best (risk) storyteller in the company. Not only that, a forward-looking cybersecurity strategy is needed to solve business problems that do not only relate to cyber issues, but also to accelerate the business transformation journey.

CISOs also need to build partnerships with a trusted cybersecurity ecosystem as this is crucial for intelligent sharing and best practices. This forms part of a continuous learning journey that helps the CISO stay on the edge of latest trends and threat landscape. 

In the worst-case scenario, what happens when a company loses its CISO?

The problem does not lie in the presence or absence of a CISO. The problem is the presence or absence of a mature security program. When the CISO is lost, the cybersecurity program slows down and ceases to grow. The problem manifests as security is about keeping pace and exceeding the rate of advancement of opponents. It is not a static game but is rather in motion.

Good CISOs with good programs have redundancy and teams that can keep doing the job. The absolute worst case is if a CISO is the lynchpin with no redundancy in operations, and an incident occurs. If that’s the case, the selection of a new CISO is of utmost importance to keep forward motion and growing momentum.