The role of Chief Information Security Officer (CISO) is more complex and important than ever before. Hackers deploying ransomware for businesses and targeting individuals with identity theft are increasing their activities. American companies reported ransomware transactions to be an average of $102.3 million per month. Keep in mind, that information is based only on self-reported data, and The Washington Post recently reported that the US Government believes “that only about a quarter of ransomware intrusions are actually reported.” In that same vein, the US Treasury reported that companies paid an estimated $5.2 billion in BitCoin transactions due to ransomware payments for companies in 2021. In addition, identity theft numbers in the United States were at an all-time high — costing consumers a total of $721.3 billion — and that number is only growing in 2022.
Due to the widespread increase in hacking and security breaches, CISOs face challenges that are more widespread and varied than in years past. Beyond outsider threats, CISO challenges also include ongoing course-of-business pain points, including budget approvals, team retention, stakeholder communication, risk management, and much more. This article will break down the top CISO challenges taking priority in 2022.
What Do CISOs Care About?
The CISO leadership position is primarily responsible for establishing the correct security and data governance practices for a company, and for enabling the capabilities for a scalable, low-risk business operations framework for a company in a constantly-shifting technological environment. A solid CISO cares about a company’s entire security strategy and all of the complexities therein: protecting against a data breach, meeting industry data compliance regulations, establishing and refining employee management while developing protocols to reduce the human error weaknesses that impact security, disaster recovery and business continuity solutions, documentations, and finessing senior stakeholder management. It’s a big role with an enormous set of challenges.
What Makes a CISO Successful?
The most effective CISOs are able to maintain their technological expertise, continuously learn about new technologies and dangers to stay on top of the ever-evolving threat landscape, and serve as strong leaders and collaborators who are adept and communicating technical issues to stakeholders that may not need (or want) to know all of the nitty-gritty details in the technology sector. Who is this unicorn? Someone who maintains technical prowess and is also unflappable in a crisis and able to communicate well. The stereotype of the technical wizard who just “needs to be trusted” won’t fly anymore — a successful CISO is able to communicate challenges in simple terms to colleagues while understanding the impacts of the areas their function oversees.
When it comes to CISO challenges, collaboration is key, and CISOs need to be able to succinctly communicate top priorities and high-needs issues to senior stakeholders efficiently and effectively. Adding support to this philosophy is the Albert Einstein quote: “If you can’t explain it simply, you don’t understand it well enough.” A strong CISO is able to cover issues in their area in simple ways that inform and engage stakeholders. That same strength also greatly benefits a CISO’s leadership, and serves a good manager and group leader when it comes to communicating with their direct reports and the various members of their security teams.
What Are the Three Common Types of CISO?
The three common types of CISO are the Technical Information Security Officer, the Business Information Security Officer, and the Strategic Information Security Officer.
1: Technical Information Security Officer
The Technical Information Security Officer specializes in managing technical security issues and operations, handles managing firewalls, and holds the majority of infrastructure expertise. They are also in charge of coordinating and managing technical policy, control, and assessment.
2: Business Information Security Officer
The Business Information Security Officer specializes in information security issues specifically relevant to their business vertical — for example, managing and protecting customer Personally Identifiable Information (PII), if that is a business need. This individual also helps with determining and implementing the enterprise-wide security requirements, policies, and procedures.
3: Strategic Information Security Officer
A Strategic Information Security Officer specializes in translating high-level business requirements for an organization’s company-wide initiatives. This function should also be responsible for data sharing and distributing key performance indicators (KPIs) for industry metrics, dashboards, and stakeholder reports. For some companies, a single CISO will be capable of performing at a high level in all of these areas. Other companies may find that they need to have more than one CISO in place in order to meet their business needs.
Top 10 CISO Challenges to Stay Ahead of in 2022
CISOs face threats both inside and outside of the company, ranging from common tasks like employee management, retention, and training to sophisticated threats from external sources. They also handle the challenge of managing budgets, ongoing business priorities, and communicating well with senior stakeholders.
Challenge 1: Multiplying Threats
The rapid expansion of connected devices (and other things, like toasters, thanks to the Internet of Things), combined with employees using their own devices, individuals bringing phones to work, and employees using personal devices to work from home have all merged to give hackers infinite ways into a company’s network. Organizations need to defend against cyberattacks via web, mobile, and social platforms, plus implement preventive measures against cloud attacks, insider threats, and more. For insights, read our recommendations on how to protect your company’s digital assets. CISOs have to work harder than ever to make sure that company data stays secure.
Challenge 2: Budget Constraints
Data breaches are costly when they happen, but it still can be difficult to get important cybersecurity initiatives properly funded. In success, companies fund required CISO-led security initiatives and then never see exactly why they needed that security. It’s a lot like insurance — you may not see the desperate need for it unless you don’t have it and something catastrophic happens. It can be hard for CISOs to get the budget lines they need in order to be successful in their role.
Challenge 3: Talent Shortfalls
As demand for IT security professionals has increased in greater proportion than the available supply pool of talent, positions can be hard to fill. Without a solid support team in their corner, a CISO can be distracted from critical issues and not able to allocate resources adequately. In addition, the overall work climate has also changed radically in the last two years. Due to the “great resignation,” companies need to work harder than ever to retain talented employees.
Challenge 4: Human Error
Human behavior and simple human errors are the most commonly exploited forms of security weakness. Employees might fall for a phishing scam, or simply access company information on a private device that isn’t properly secured. These actions increase the risk of a data breach and let hackers bypass otherwise strong security systems. Reckless employee behavior leaves CISOs vulnerable, and they need to review company security policies and proactively educate employees on cybersecurity risks, while also initiating new training, and improving and iterating on security protocols.
Challenge 5: Evolving Compliance Requirements
International data regulations continue to grow. Depending on your business, you may be required to follow numerous different protocols when it comes to data handling such as NIST, ISO 27001, and CIS controls. Due to the various requirements, companies need to increase their data protection protocol to ensure confidentiality, integrity, and availability of data. It’s important when it comes to compliance risk management to do a risk assessment to see where your company stands, and to ensure that your business puts the right systems in place to comply with all regulations.
Challenge 6: Alert Fatigue
CISOs face an ongoing threat of alert fatigue amidst a tsunami of low-priority alerts and false positives. Firewalls, security solutions, and other protections create multiple thousands of events and pings on a daily basis when protecting against a data breach. CISOs and their security teams are constantly on the lookout for how to manage system alerts in ways that keep them ever-vigilant and on their toes — but reduce overall fatigue — so they don’t mistake real threats for non-events and accidentally disregard important information. Fighting alert fatigue is key to maintaining security team stamina and actively preventing critical threats to a company.
Challenge 7: Internal Leaks
There is one constant in cyber security, and that is the human element. CISOs need to consider team members who are unhappy in their role or otherwise disgruntled may decide to share confidential information, as well as educate personnel on an ongoing basis. Education, training and reinforcement are necessary to help reduce the likelihood of a human error. All it takes is one person clicking on a link or having a misconfigured firewall to potentially take down an organization’s internal systems. It’s important for companies to regularly monitor access controls, and in order to maintain proper security log protocols, companies are advised to track individual users. It’s not foolproof, as complete security of company information from insiders is nearly impossible, but proper permissions and logging goes a long way as a solid defensive strategy against internal leaks.
Challenge 8: Rapid Software Development
Companies are working hard and fast to beat their competitors and get a handle on new technologies. Many software development teams work with systems of agile and continuous improvement, and with that comes a faster and more interdependent software development lifecycle. The downside is that in the push towards speed and flexibility, software can be less secure. In the rush to release, security can become an afterthought.
Another possible place for exploitation in this process is delayed patch implementation, and that leaves companies vulnerable to outside hackers. Security teams need to prioritize software update management, but it can fall to the wayside when there are competing priorities. Sadly, that decision can be costly. In 2019, Equifax was fined $575 million as part of a settlement due to a data breach caused by a failure to repair a patch vulnerability that was open and accessible for four months. The breach impacted approximately 147 million people and exposed millions of names, dates of birth, Social Security numbers, physical addresses, and other personal information that could lead to identity theft and fraud.
Challenge 9: Corporate Commitment
CISOs face a unique hurdle in that they are often the newest C-suite executive in the room during meetings of the senior leadership team, and they are reporting on a sector of the business that is often the least understood. The most successful CISOs are able to quickly explain their area to peers and also provide data that’s helpful and informative to the rest of the business. It’s estimated that less than 10% of CISOs currently provide data that is useful to the senior team, and, on the flip side, more than half of CISOs feel that the senior team is not engaged with the company’s security strategy. Communication and collaboration is key to fostering improved corporate commitment and developing a solid relationship with colleagues that can then advance security teams and their efforts.
Challenge 10: Ongoing Education
The rate of change is only growing in tech. CISOs face evolving cyberthreats and need to educate themselves, their security teams, and all relevant team members on how to protect against existing and any new data breach threats. CISOs are responsible for providing teams with a comprehensive cybersecurity education. Educating employees can consist of sharing device security and management best practices, to informing teams about what to look for regarding suspicious activity, and making security awareness and habits a part of your team culture.
How Can CISOs Stay Ahead of the Challenges?
In order to stay ahead of the top CISO challenges in 2022, it’s important to engage with peers, maintain team strength, and be on top of all of the security news and trends. In addition, understanding your industry’s regulatory and framework requirements and whether or not you are meeting needed benchmarks is mission critical. Ongoing education, security teams management, risk management and assessment, vigilance against hackers and outside threats, and successful stakeholder management are all important to the success of a solid CISO. Having the right technology — like AuditBoard’s compliance management software — will assist you in the process.