News about data breaches continue to come up, and their pace is only getting faster. It is only becoming easier for the top management to understand that security is a necessity for protecting their information as well as reputation. Many organizations appoint a designated C-level executive: Chief Information Security Officer (CISO). In larger enterprises, a CISO may work alongside a CIO; however, roles are often overlapping in smaller organizations.
What does a CISO do?
CISOs act as the guardians of your organization’s information security programme. They continuously monitor your organization’s security posture in ever-increasing regulatory complexity. While regulatory compliance, risk management, security testing, and incident response are their key responsibilities, they also contribute to the development of secure architecture, applications, and services. They act as the security team’s point of contact with the top management. Out of all the C-level executives of a company, a CISO will have a better understanding of how the threat landscape is evolving. As businesses continue to have a better understanding of their security requirements, more and more CISOs are getting a seat at the board.
Consider that your CISO performs 99% of their tasks correctly; however, there is still a sufficient probability of mistakes given the sensitive nature of the job role. Even for CISOs with extensive experience, mistakes are one reality that they cannot deny. However, what is more crucial is the impact and frequency of those mistakes. Based on our client engagements, our experts compile common mistakes that their CISOs make in the following sections.
Mistakes concerning organizational security practices
- Lack of sufficient security testing exercises: CISOs often enter into a bubble, thinking that their security practices are adequate. A CISO shall never have the impression that their organization has been able to achieve absolute security. Continuous internal and external security testing is evidence of a mature security program. As a CISO, one should focus on conducting regular security testing exercises with a sharp focus on continual improvements in the security posture.
- Compliance, yes, and no: Information security governance can often result in ethical dilemmas for CISOs. We have come across multiple CISOs who indirectly act as a road blocker in the name of compliance. A CISO may receive numerous requests for exceptions, and they must do what is in the best interests of their organization. In other words, there must be a fine balance between accepting and rejecting requests.
- Adopting a comprehensive security strategy: There are two sides for security: your security team v. attackers. There are good arguments that this is a suitable match; however, it is not. Attackers need to be successful in any one of their attempts. On the other hand, your security team needs to defend your IT infrastructure every day. A CISO must understand that a security team cannot defend against every attack. They need to be equipped with appropriate tools and technologies to ensure that the chances of successful security incidents are minimal.
- Static policies and procedures: Threat environment evolves at a faster pace that one would expect. At the same time, organizations are striving to launch their products in the market in minimum possible time. While there is nothing wrong with moving at a faster pace, organizations often miss out on improving their security practices with time. Instead of implementing policies and operational procedures at once, they shall be regularly reviewed and updated.
- Everything is a threat: The volume and extent of security threats keep on expanding. CISOs may often start considering that every threat is an existential crisis to their organization. When every threat appears to be critical, nothing is actually critical. The real threats easily get lost in the noise, and a CISO is not able to prioritize the threats.
- Help: There is a well-known skill shortage in the cybersecurity industry. There is a chance that a CISO may require specific resources that the organization does not have. In such cases, they should not be afraid to ask for help or ask a question when they do not know the answer. Instead of merely relying on gut feeling, a CISO should seek advice from the subject matter experts for an informed decision-making process.
Mistakes concerning communication with the top management
- Members of the top management have a different perspective for cybersecurity than your security team. The top management is most likely to focus on existing risks, their impact, and how they can be mitigated. As a CISO, one must develop a good understanding of the top management’s risk appetite. Based on this understanding, they can align the presentations in a manner relevant to the top management.
- Honesty is the best policy, and presenting the actual reality may help a CISO in gaining trust. CISOs should ensure that they have a complete picture of the organizational assets and their business value.
- Some members of the top management may consider security as a difficult technical topic. It then becomes impossible for CISOs to explain the importance of a risk management program. A good solution is to present the risks and their impact in terms of money.
- The top management inclines with making an informed decision based on reliable data. While the security team collects detailed information about threats and vulnerabilities, their level of details can drown the top management into too much information. For C-level executives, the best solution is to tell a straightforward story as to what has happened and why it has happened.
Ending notes
CISOs in 2020 face a daunting task to effectively execute their responsibilities and discharge their duties towards an organization. While they keep a continuous check on security threats, they are expected to communicate with the top management and ensure maximum utilization of resources. In multiple engagements, our experts have come across top management members that do not believe that data breaches are inevitable. This multiplies the level of stress that a CISO deals with daily. To ensure that CISO function for your organization is stress-free, LIFARS’ astute information risk management experts provide support in security requirements, designing of efficient solutions and programs, and delivering quantifiable results while steering through your organization’s unique challenges.