SJA Exclusive: How the CISO role is evolving under increasing scrutiny
Victoria Rees
Share this content
Andreas Wuchner, Field CISO at Panaseer discusses why CISOs must explain security risks from the perspective of a business as a whole to effectively communicate with executives.
CISOs are facing continuing challenges this year. In the midst of attacks on global brands, with companies like GoDaddy and News Corp admitting threat actors have had access to their internal networks for years at a time, it seems there is also a disconnect between security leaders and the boardroom.
Forrester revealed corporate boards and the C-suite still largely view cybersecurity as a cost center, while research from Panaseer found that getting buy-in from the board on security decisions is a key frustration for more than two-thirds of security leaders.
Equally as worrying, Gartner recently predicted that almost 50% of cybersecurity leaders will change jobs in the next two years due to unsustainable levels of stress. The constant rising pressure and expectations from regulators and boards is placing a huge burden on CISOs and CSOs alike, made worse by a variety of frustrations and increasing levels of burnout.
In this environment, with budgetary pressures rising too, CISOs need to find ways to communicate their security posture, get board members onside and relieve some of the pressure.
Leading CISO frustrations
The thing that really keeps CISOs up at night isn’t getting attacked through a zero-day vulnerability. Instead, it’s a breach through a control that was meant to be in place but failed. Panaseer found that nearly nine in ten security leaders across the US and UK see control failures as the primary reason for data breaches, while the inability to continuously measure enterprise-wide security posture and identify failure of controls is their biggest frustration.
In fact, it is these frustrations around tooling and data that are even more influential in staff resignations than the desire to get paid more or move to a more senior role.
It’s clear, therefore, that something needs to change to better support security leaders and their teams. First and foremost, they must be able to continuously measure the effectiveness of existing tools and gain data intelligence on protection gaps so that CISOs can better manage their security posture, eliminate control failures and reduce work-related stressors. However, it’s also about ensuring the board better understands security risk and driving accountability around minimizing this risk.
Getting the board’s buy-in
If the board is to stop seeing cybersecurity simply as a cost center, CISOs need to focus on understanding how the business wants to consume information and how to best present this information so that they can better manage the risks for which they are accountable. Successful CISOs will be those that communicate in a transparent and straightforward way, relating cyber-risk to business risk.
The CISO role is evolving to meet these fresh demands, moving away from a focus on technical cybersecurity knowledge towards executive and risk domain expertise. However, for this to be successful, it ultimately also requires a shift in the way businesses understand risk. Often cybersecurity is only considered in a technical sense, but we need to start recognizing what is most at risk in a business sense and prioritizing remediation accordingly.
To make this achievable, security leaders need to apply business context to their cybersecurity strategy, better enabling them to articulate cyber-risk and security posture to executives, translate why this matters to the business and help boards understand how to manage it best. As risk continues to grow, CISOs will be increasingly expected to operate as board executives who can influence decisions.
Driving accountability
As part of this changing role and as businesses increasingly leverage new technology in the push towards digital transformation, security leaders are also looking for ways to improve accountability and collaboration.
While CISOs are responsible for security posture, they rely on others to take accountability for critical activities. They therefore need a trusted view of data, assets and control status to drive action across security and IT teams, receive evidence of remediation and foster stronger relationships with the board and other senior stakeholders. However, driving accountability and evidencing improvements will be far more challenging for CISOs that work with manual processes to understand and manage their security posture and form the basis of their boardroom conversations.
In an agile business, stakeholders expect reliable, real-time data. Therefore, to drive accountability for CISOs and their teams, we should expect to see a greater focus on automation. This helps give an accurate view of whether they’re reaching security KPIs in line with internal policies and external frameworks. It also saves time and frees up security teams from the monotony of pulling together manual reports.
CISOs are undoubtedly under significant pressure as preventable breaches continue to threaten enterprise security. As this security leadership role evolves, it’s all about taking control of risk from a business perspective. Automation makes it far easier for CISOs to measure against their team’s security KPIs and assess compliance with policies, which will be key in demonstrating risk posture to the board. Yet it’s only if this is communicated in a business language that CISOs will succeed in getting executives ‘on board’ with security investment and overcome some of their biggest frustrations.