{"id":954,"date":"2024-11-25T07:00:00","date_gmt":"2024-11-25T07:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=954"},"modified":"2024-11-25T07:00:00","modified_gmt":"2024-11-25T07:00:00","slug":"top-challenges-holding-back-cisos-agendas","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=954","title":{"rendered":"Top challenges holding back CISOs\u2019 agendas"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

In the past decade, every CISO knew the question awaiting them in the boardroom: Can we survive the next cyberattack?<\/em> Now, as the turbulent 2024 draws to a close, the concerns have multiplied, says Don Gibson, the CISO at Kinly. Board members are often asking: Can we survive these economic times? <\/em>Or are we prepared for geopolitical storms?<\/em><\/p>\n

Intensifying global conflicts, economic instability, and a surge in new regulations have put pressure on CISOs and their organizations. Today, chief information security officers have to manage an array of issues\u2014often with limited resources at their disposal.<\/p>\n

Tight budgets, competing priorities, and the ongoing struggle to attract and retain skilled talent are among the hurdles CISOs face in their effort to secure organizations, according to a recent survey<\/a> by Foundry. Other challenges include low employee awareness and training, as well as organizational and cultural barriers, all of which can hamper their ability to be effective.<\/p>\n

While doing more with less has always been part of the job, today\u2019s pressures call for a bit of a rethinking.<\/p>\n

\u201cAdjust your expectations,\u201d says Gibson. \u201cThere\u2019s always an option.\u201d<\/p>\n

Stretching every dollar<\/h2>\n

From an organization-wide perspective, cybersecurity often sits low on the priority ladder because it doesn\u2019t generate revenue directly. Avishai Avivi, CISO at SafeBreach, compares it to insurance: \u201cYou prefer not to pay for it, but you\u2019re happy when you need it and have it.\u201d<\/p>\n

With limited resources and an ever-growing list of threats, CISOs are often caught managing multiple projects at once. Some of these might move forward bit by bit, but without clear milestones or measurable progress, it\u2019s difficult to show their real impact. This makes it harder for CISOs to secure extra funding or support, especially when stakeholders can\u2019t see solid, tangible results.<\/p>\n

\u201cThat makes it almost impossible to show meaningful success,\u201d says John Terrill, CSO at Phosphorus. \u201cA lot of times, this can come from trying to boil the ocean.\u201d<\/p>\n

Many CISOs recommend learning to \u201cspeak business\u201d and occasionally scaring the board to get more funding, but these can only go so far. \u201cThe company has a finite amount of resources; you need to make peace with that,\u201d Avivi says.<\/p>\n

In such a situation, CISOs have to get strategic about which risks to tackle first. It\u2019s all about figuring out what needs urgent attention versus what can stay as-is for now.<\/p>\n

Automated tools can also be of great help, especially for smaller companies that can\u2019t afford large, dedicated security, compliance, and data privacy teams. \u201cOrganizations must implement and take advantage of automated GRC<\/a> solutions that help with combining risk, compliance monitoring, vulnerability monitoring and intrusion detection,\u201d says Metin Kortak, CISO at Rhymetec.<\/p>\n

Juggling priorities<\/h2>\n

When faced with a long list of priorities but only so many resources, creating a clear set of risk appetite statements can be a game-changer. It helps define what level of risk the organization is willing to accept, making it easier to decide where to focus efforts and resources.<\/p>\n

\u201cAligning both the workforce and the organization\u2019s leadership around risk appetite helps tremendously to focus your energy and your dollars in the places that most need them,\u201d says Ken Deitz, CISO at Secureworks. \u201cIf an organization has a stated risk appetite for security risk, the priorities start to jump off the page.\u201d<\/p>\n

CISOs should be open about the risk the organization will take if their priorities are not addressed. \u201cThis presentation needs to be in business-relevant terms,\u201d Avivi says. \u201cJust telling the CEO and the board that we must pass a SOC 2 Type II audit doesn\u2019t carry the same weight as informing them that our customers demand a clean SOC 2 Type II certification for any new sales to close.\u201d<\/p>\n

Gibson also supports this approach. \u201cYou own your strategy, so you make the decisions on priorities. If the board wants you to change them, then they can own the risk and educate you why this is more important.\u201d<\/p>\n

Building a culture of security across the organization<\/h2>\n

Some priorities might be up for debate, but one thing isn\u2019t negotiable: building a strong security culture across the organization. Well-meaning employees who are simply curious or just want to help may click on a phishing link or mishandle sensitive information, opening the door to threats.<\/p>\n

To address this, proactive training is essential. \u201cOrganizations need to invest in up-to-date cybersecurity training and use artificial intelligence and machine learning to simulate real-time cyberattacks,\u201d says Kortak. \u201cEmployees must be given hands-on experience in responding to threats to ensure they understand theoretical concepts and can apply practical skills in real-world scenarios.\u201d<\/p>\n

At the same time, staying secure should be straightforward \u2014 it needs to feel like a natural part of doing business. \u201cI try to lead with the philosophy that doing the right thing should be easy,\u201d Deitz says. \u201cIf complying with an organization\u2019s security processes are complicated and byzantine, you will never be successful.\u201d<\/p>\n

For example, implementing a passwordless FIDO2-based authentication system will make the organization more secure and reduce complexity for employees while removing the requirement to remember unique complex passwords, Deitz says.<\/p>\n

Security training should include everyone, even those in technical roles \u2014 particularly in companies where IT is central to the business. \u201cIT engineers are trained to deliver functional products \u2014 an app, a network, etc. \u2014 not a secure product,\u201d says Dimitri Chichlo, CSO at BforeAI. \u201cCISOs who fail to address this issue holistically risk creating a vulnerable human layer within their first line of defense.\u201d<\/p>\n

Overcoming organizational and cultural barriers<\/h2>\n

The CISO\u2019s job can get challenging when organizational and cultural barriers come into play. Security teams, for example, can feel frustrated or discouraged when they\u2019re unable to perform at their best due to factors beyond their control. And other teams may often need information on why it\u2019s important to support cybersecurity-related projects that don\u2019t offer immediate results.<\/p>\n

To address this issue, Avivi adjusts his message, aiming to connect with each team in a way that really resonates with them. \u201cFor example, developers will freely acknowledge that fixing a security bug proactively and at their own pace is much easier than having a customer screaming at them when the bug is now a breach that you must drop everything and fix,\u201d he says. \u201cAs a CISO, you must understand their needs and context and how your program impacts them.\u201d<\/p>\n

Many organizational and cultural barriers can be overcome through communication and collaboration. \u201cSpending time and energy on managing relationships and building confidence with your fellow leaders is never wasted energy,\u201d Deitz says.<\/p>\n

Winning the talent game<\/h2>\n

With the talent gap still affecting cybersecurity, CISOs must be smart about building and keeping a skilled team. Often, cybersecurity experts can be more difficult to replace than developers, and this process takes time and money.<\/p>\n

\u201cFor some roles like engineering, employees can and often start working on day one,\u201d Kortak says. \u201cWhen a new cybersecurity employee is hired, they must gain historical knowledge about the company and be trained to learn the past frameworks and security policies that the previous person put in place.\u201d<\/p>\n

When hiring, Deitz recommends that organizations prioritize enthusiasm and work ethic over technical knowledge and experience. \u201cLeaders should consider training people to do the job as a better investment than paying for the most experienced candidate on the market,\u201d he says.\u00a0\u201cThe best security performer is almost always the one you train from the start.\u201d<\/p>\n

Employees are often more likely to stay with a company if they feel they have opportunities for growth. It is why giving them reach goals and \u201cproviding upward mobility\u201d is key, says Terrill. And so is managing their workload. As Howard Taylor, CISO at Radware put it, \u201cwithout the ability to add more staff and tools, the workload for CISOs and security teams continues to grow exponentially, increasing the risk of burnout.\u201d<\/p>\n

To prevent that, CISOs should look after their team and allow them to take a break every once in a while. That\u2019s exactly what Gibson did on a sunny day after a month of bad weather. \u201cI brought them into an urgent meeting and told them to get off their machines and get outside for an hour. Feel the sun. Breathe the fresh air,\u201d he says. \u201cThey still talk about it.\u201d<\/p>\n

Regulations, AI, nation states derailing CISOs\u2019 plans<\/h2>\n

There are also other issues CISOs have to deal with. One of these is related to the rapidly evolving regulatory demands. \u201cRegulators all over the globe are starting to assert more control around what they want to see with security programs within businesses, and as a result, regulatory compliance is being prioritized highly,\u201d Deitz says.<\/p>\n

AI is also changing the game. There is a massive rush to embrace AI technologies in multiple layers without completely understanding all the implications, according to Avivi. \u201cRelated to it is the whole topic of deepfakes, which amplifies malicious actors\u2019 ability to successfully execute social engineering attacks against your most vulnerable assets \u2014 your employees.\u201d<\/p>\n

Terrill also worries about attacks sponsored by nation states. \u201cThis is starting to change a lot of priorities to take a look at zero trust, micro segmentation, OT\/IoT defense, and other strategies thought to be more advanced,\u201d he says. \u201cThat\u2019s in the backdrop of a lot of industry groups pushing back on CISA\u2019s reporting requirements in CIRCIA. So, there\u2019s a desire to improve security but not much desire to report incidents.\u201d<\/p>\n

In light of all these pressures, Gibson recommends CISOs to remember that they are human and should try to look after themselves. \u201cRemember that your job doesn\u2019t love you,\u201d he says. \u201cIt\u2019s fine to love your job like I do, but if you are neglecting yourself and can\u2019t continue for any reason, yes, people will be sad, but your job will be getting filled in a few weeks. Your job doesn\u2019t love you.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

In the past decade, every CISO knew the question awaiting them in the boardroom: Can we survive the next cyberattack? Now, as the turbulent 2024 draws to a close, the concerns have multiplied, says Don Gibson, the CISO at Kinly. Board members are often asking: Can we survive these economic times? Or are we prepared […]<\/p>\n","protected":false},"author":0,"featured_media":955,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-954","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/954"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=954"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/954\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/955"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=954"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=954"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=954"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}