The advent of cloud computing and SaaS has made it easy for hackers to spin up networks in minutes which would have previously required them to have physical servers, money and much more time. Today, an overarching objective of a Chief Information Security Officer (CISO) is to ensure enterprises are able to safeguard themselves from cyberattacks. But it’s easier said than done. Wildly increasing ransomware attacks have erupted challenges for modern CISOs and will continue to increase with the threat landscape widening every day.
Let’s address these challenges and map their role with our expert Geir Engh-Hellesvik, the CISO at the Vy Group, one of the largest transport groups in the Nordics.
Role of Modern CISOs
Traditionally, the role of the CISO was highly technical and wasn’t inclined towards being a business influencer. Those were the times when issues like data breaches and ransomware weren’t the biggest block on their radar.
Things aren’t the same today, we live in a world of large-scale ransomware attacks and data breaches that are crippling large and small organisations alike. Cybersecurity as a threat isn’t limited to tech teams/IT operations and extends to business operations and in turn, reputations. It can disrupt an entire company for weeks and go on to permanent damages that you can’t recover. ‘CISO is an advisor and evangelist, not just a technical IT person, much more in contact with innovation initiatives and processes in the enterprise than ever before. They are now seen as a valuable input to the business leaders’’ says Geir.
Source: Interquest Group
Modern CISOs Challenges
With a modern role comes modern challenges. While taking care of security, CISOs are also bridging the gap between technical and business aspects. Geir believes that ‘When we (CISOs) are working with the business side right from the beginning. We are able to give more cost-effective advice and solutions to security issues.’’
Having a multifaceted role has its own set of challenges. Let’s debrief them here.
Reduce Knowledge & Skill Gaps
In one of our surveys at CS4CA USA 2021, skills were voted as the biggest gap (almost half) in the organisation by the CISOs from critical infrastructure. Systems and tools knowledge came second in that list. Needless to say, the emerging evolution of technology is widening the gap and making them difficult to fill in. The main challenge for CISOs is to introduce the right skills and resources that can integrate business strategy and objectives while ensuring security measures are applied in an appropriate way.
Reduce Technical Debt
Additionally, the C-suite executives have to create a successful vulnerability management plan and showcase to the Board strategies for protecting the company with a well thought out ROI plan. According to Forbes, it takes approximately 280 days to identify and contain a data breach. We can only imagine the amount of work and effort that is required from the CISO and their team. Thus, the autonomy of CISOs to fulfil their role of protecting the organisation comes with a huge price.
Data Loss and Privacy
For a CISO, the technical capabilities do not take a back seat, they instead tie the security initiatives and activities into the business operations and plans. The integration of on-premise, data centre and cloud-based data sets and applications is a complicated arena to be in. From a CISO perspective, the security controls, remediation/audit reports remain valid only for an ever-smaller time frame. While this extends their technical challenges, on the business side, it gets tougher to wind down the details from the business point of view. Like how Geir explains, ‘It’s a business impact discussion, the actual risk remediation is more of a technical matter.’’
Third-Party Integration
While adopting new technologies to accelerate the growth of the organisation, supply chains become longer and more complex. This leads to a build-up of dependencies over time and ongoing security assessments of suppliers. CISOs have to undertake a comprehensive onboarding process, review technology controls and attestations, while also protecting legal and service level agreements to mitigate supply chain risks.
Communication
Apart from budget constraints, there are communication barriers among the departments that can hinder the security discussions. Enterprises need to address the gap and work on a collaborative and proactive culture where we support peer-to-peer upskilling and bolster the teams’ ability.
There is a constant challenge for CISOs to communicate effectively with the board of directors and senior management while cohesively building security as an intrinsic part of the business.
Moving forward…
A modern CISO is a unique combination of being an enabler, a strategist, a critical business advisor and a business influencer. All these roles integrate to build a culture of security and drive a competitive edge for the business.
‘Given the number of outbreaks of hacks and malware, it would be naive to think that it won’t happen to you,’’ states Geir. So, CISOs are required to align cyber security priorities with business-value chains from the start.
Did we miss any other challenges? Comment below! And do not forget to Sign Up for our newsletter!
