With the rise of digital transformation initiatives in 2020, a Chief Information Security Officer’s (CISO) already stressful work environment has become even more complex. A post-pandemic world has spawned other challenges for security professionals with the rise of remote work—like ensuring data remained secure in an environment that wasn’t constantly monitored, Zoom hacks, secure API integrations, and dozens of other issues. Security leaders are facing more scrutiny about security posture from the Board of Directors than ever.
CISOs needed to be on top of their game—because, in addition to those high-risk challenges, countless businesses found themselves fast-forwarding their digital transformation initiatives to adapt to the new normal. 2020 has been coined as the year of the great accelerator because initiatives put on hold were suddenly necessary to support remote work. With the lack of in-person face time and security risks, many businesses played catch up as threat models and control points changed. Keep reading to learn how to enhance your CISO leadership and mature your cyber risk management program.
Preparing for CISO Board Presentations
In the last few years, C-suite executives and Board members have become aware that cybersecurity programs and threat monitoring have been underfunded. Companies didn’t have a culture to reinforce current systems, which created a perfect storm of vulnerabilities like key employees being targeted with credential-stealing malware, home networks becoming prime targets, and mixing personal and work environments that blurred data repositories. Wyatt Cobb, CEO & Co-Founder of SOFTwarfare, says, “Many executives realized that it paid now or pay big later. No one wants to be the brand or that person on the front page of every newspaper talking about a breach.” This increased scrutiny only compounded CISOs' already pressing duties and further stressed IT and cyber risk programs.
“The reality of incidents occurring is not an if—but a when,” Cobb continues, “addressing threats and risks as a C-level executive can come from a place of fear. There needs to be this sort of paradigm shift of, how are we going to manage this vs. how are we going to eliminate it?”
But getting executives on the same page can be a challenge when a lot of cyber risk management happens "behind closed doors." This isn’t widely discussed, and before 2020, it was not represented in company culture. However, following 2020 and the volume of cyber attacks in the wake of remote work, we are beginning to see the organization’s security programs come under the microscope beyond the annual CISO Board presentation at the Board meeting.
CISO Security Strategy: Open Discourse and Be Transparent
A CISO does no one favors by keeping risk management strategies and vulnerabilities close to its chest. However, CISOs often view their job tenure as unstable—and at the first sign of risks that have been exposed and exploited, they would be forced to move on. However, Gartner says the average CISO job tenure is over 35 months. This tenure is rarely cut short by a breach, but many CISOs operate like one data breach away from being replaced. This negative cycle is detrimental to company culture and the C-suite as a whole, as the CISO may not feel like it is a safe environment for reporting to the board about threats and data breaches.
A study of 129 CISOs by Gartner found that only 12% excelled in all categories, as defined by Gartner's CISO Effectiveness Index. On average, CISOs allocate more valuable resources and time toward “tactical” activities than they would like. Top-performing CISOs report a better relationship and interaction cadence with non-IT stakeholders than bottom-performing CISOs by three times as much. Top-performing CISOs manage stressors and fatigue more effectively than their bottom-performing peers.
To remediate this toxic mindset of replaceability, Gartner suggests organizations should identify gaps in behavior that will enable them to be more effective in their role. Delegate tactical activities to staff or other stakeholders and reallocate their time toward strategic planning and cyber risk management. According to Gartner, immature organizations rate their CISOs on their ability to keep them safe and protected. Average-maturity organizations assess their CISOs on their ability to manage risks, and high-maturity organizations measure their CISOs on their ability to deliver value and impact the bottom line. So it comes down to CISOs setting their companies up for success and vice versa so they can all rise together and proactively manage risk.
Establish a Risk-Informed Narrative
Putting a tangible, measurable Return on Security Investment (RosSI) for cybersecurity posture, cyber risk management, or cyber risk assessment is hard. For many higher-level executives, these problems will not pop up on their desks multiple times daily, demanding attention. Instead, if the job is being done correctly, it may never pop up. The ‘invisibility’ of risks becomes an issue when going over budgets and business processes. C-level executives may wonder why there has been so much investment in these areas when there isn’t anything to show.
Security strategy can be thought through whether you’re a CISO, a high-level network engineer, or a CEO. Understanding where vulnerabilities exist and then intelligently processing those based on levels of criticality has been a robust approach for decades. It’s just a matter of getting all involved in the invested success of vulnerability management.
One way to mitigate these challenges is by establishing a narrative and demonstrating a supply value chain to align IT and business objectives. By showing the board the value added to the whole company through risk management at every step of the process, there’s a demonstration of return on investment and underlining the importance of ensuring all data stays safe in the supply value chain.
Focus on the Future
A CISO’s responsibilities will only grow as the world expands into digital transformation, and so will the pressure CISOs face daily. However, with a plan in place and a mature risk strategy, it’s possible to be prepared for the ever-present threat of data breaches.
Download our guide to reporting on cybersecurity to the Board here.
Contact us to learn how CyberStrong empowers CISOs with actionable insights to transform cyber risk management processes and secure executive buy-in with advanced reporting.