April 2, 2019

If you make it to the heady heights of Chief Information Security Office (CISO) in your career, you are doing pretty well. But CISO’s haven’t always been around; information security used to be somebody else’s problem, and sometimes, still is.

In the 90s, security was pretty much an afterthought for anyone other than a dedicated security professional. This, of course, was before the Internet and mobile computing took off.

Back in 2016, IBM put out a statistic stating that 90% of the world’s data had been generated in the previous 2 years. And data just continues to burst out of every IoT device, online transaction, and mobile phone communication.

This makes the job of the person heading up information security, complex. The CISO, chief of keeping our data safe, has a big job on their hands. They have the multi-pronged task of managing the day-to-day IT and data security threats, as well as managing and maintaining the ever-changing compliance requirements of the business. And, all of this within the shifting sands of the cybersecurity landscape as data explodes.

In a report by the Ponemon Institute and commissioned by F5, which looked at the role of CISO, they found that 60% of CISO’s place cybersecurity as a business priority.

So, what sort of things makes the average CISO stay awake at night?

Budgets, or lack thereof

Budgeting for a solid and timely response to the threat of cybersecurity can be tricky. Security is often seen as non-core to business, so the area may end up with the budget equivalent of crumbs when year-end comes around. Of course, the CISO is left with the job of convincing the C-Level and board members that security must be taken seriously. However, the cybercrime statistics can do a pretty good job in helping to convince the board your department needs proper funding. In 2018, more than 2.8 billion data records were exposed. In the same year, 40 percent of small businesses were victims of a data breach; a single incident resulted in a 20 percent loss in customer base.

Figures like this can then be used to show the cost to a business, both as a reputation and financial consideration to create a case for a realistic budget.

The hunt for skilled staff

A CISO is not an island. They need skilled people to work alongside them. To take their security strategies and implement the measures across the company. These skilled staff are not just security professionals. There is also a need for people who understand compliance and training. In a survey by McAfee into shortages of skilled staff in the security industry, they found that 82% of those surveyed reported a shortage of cybersecurity skills. This tallies with a recent (ISC)2 report which states there will be a gap of 1.8 million jobs in cybersecurity by 2022.

Outsourcing is an option here, but again, this ties in with budgets.

The old compliance chestnut

Data protection and privacy regulations are there to protect our company and our customers. However, they can be hard work to implement.  This is especially true when you have more than one type of regulation to comply with. For example, if you process financial information then you will need to comply with at least PCI-DSS, but also, likely, GDPR and possibly also some variants within the UK’s DPA 2018. The array of regulatory frameworks around data protection can take your breath away.

Compliance is a company wide issue that falls on the shoulders of the CISO and their team. But a budget has to be set to help meet the stringent requirements of modern regulations. Again, the financial bottom line can help with this, as regulations like GDPR and DPA 2018 set massive fines for non-compliance.

Building a Culture of Security

One thing that helps with the general job of the CISO is having everyone on board. The old saying of “There is no i in team” is so true. Bringing the entire organisation together under the banner of a “Culture of Security” makes the CISO job a little bit easier. Why is this? Security awareness training is the foundation stone of this Culture of Security. If you use security awareness training to teach all staff about what cybersecurity is, how to spot tell-tale signs of security issues, and how to act in a security preserving manner, many of the challenges of protecting the company will be reduced because of the old adage “many hands make light work”.

The changing security landscape

In life, there are certain things that never change, but cybercrime is not one of them. If you look at the malware numbers from AV-Test, they show increasing malware types, year-on-year, since 2010. And the types of threats change too. In 2016, ransomware was one of the biggest threats; in 2017, cryptojacking had risen in rank with an 8500% increasein attacks, with the U.K.’s National Cyber Security Centre placing it as a “significant’ threat to UK business.

A CISO has their work cut out as they have to navigate this ever-changing landscape to ensure the company has the right precautions in place. They need to do this in an environment of support. A CISO and their team need to be visible and not seen as the “backroom boys and girls”. When a company spends the time to build a Culture of Security, they also embrace the idea that the whole company is responsible for being cyber-safe. In this situation, the ever-changing cybersecurity landscape is less of a concern as the CISO has everyone watching the company’s back. Of course, this means that security awareness training is not a one-off exercise. Keeping on top of security is not just the CISO’s responsibility, it is in the interest of the entire company.

Giving the CISO a Helping Hand

It can be lonely at the top, and the best way to help cybercriminals is to isolate people. The people in our organisations are our best defence against cyber-threats. The CISO is the person most well-placed to set in motion the wheels of security awareness training to pull the company together in defending against cyber-attacks.

And a final word from ClubCISO. In a survey, they asked CISO’s how strongly they agree with the question “I love my job”.

28% said they “strongly agreed”. Hopefully, with the help of colleagues to make this most complex of jobs easier, this number will increase.

Source: ClubCISO IT Security Maturity Report. All content © ClubCISO/Company85


Share this: