[BreachExchange] The CISO is dead; long live the CISO

[Destry Winant]

https://securityboulevard.com/2020/07/the-ciso-is-dead-long-live-the-ciso/

More and more companies are hiring Chief Information Security Officers
(CISOs) to navigate the rough waters of cybersecurity. The need for
CISOs in enterprise organizations is at the height of importance with
the increase in both ransomware attacks and data breaches. Again,
we’re not going to be the first ones to tell you that the days where
data breaches, ransomware, and other forms of cyberattacks were rare
are gone. Cyberattacks have an observable, but rarely reported effect
on CISOs. With the almost daily data breaches, CISOs are realizing
that there is a huge target on their back when (not if!), a data
breach occurs.

What is a CISOs role?

A little dirty secret of the IT industry is that many people within an
organization don’t actually know what a CISO does. However, those that
do, see “information security” in the title of the job, and expect
certain things. Because of these expectations, when IT failures occur
fingers are often pointed in the CISO’s direction first. It stands to
reason that anyone who manages information security should be
accountable when a lapse in cybersecurity allows a data breach or
ransomware attack.

Though a CISOs responsibilities may differ from company to company the
core role is well defined; a CISO is essentially a senior-level
executive who’s responsible for executing and overseeing the company’s
cybersecurity strategy. So it stands to reason that the CISO role is
often held accountable when a data breach, of any form, occurs. In
fact, according to a survey reported by Tripwire, 21% of IT
decision-makers would most likely blame a data breach on the CISO. The
CISO isn’t the only one that’s seen as being accountable, of course;
it is seen as the second finger that gets pointed, after the one
that’s pointed at the CEO, of course. This goes a long way in
explaining why the average tenure of a CISO is a mere 18 months. A
CISO’s time may be short, but the potential impact of their role is
mighty—data breach recovery can cost a company over $3 million in
recovery and $1 million to discover a breach.

Hearing about a CISO in the news is… bad news

The CISO position isn’t really talked about in mainstream media, that
is until a cyberattack is in the news. In other words, all news is bad
news: whenever you get a notification, see a Tweet, or read an article
about an organization getting breached, you’ll hear a CISO’s name.

CISOs have an incredibly difficult job because they’re expected to be
able to secure an enterprise or organization from all angles and at
all hours of the day. This is why when a cybersecurity issue arises,
the fingers are pointed directly at the CISO.

Customer’s play the blame game

When a breach or ransomware attack occurs, consumers want to see that
the person responsible for the attack is held accountable. Breaches
are often the fault of an institutionalized failure of policy and not
that of a single individual, however, because the policy often falls
to the CISO, a CISO may lose their job in order for an organization to
preserve their reputation with its consumers. Hence the average
18-month ticking clock.

Not only does a CISO have to worry about their actions, but they are
also accountable for their team if it were to fail to detect or
respond properly to a breach. CISOs are also expected to manage issues
external to the company (e.g. those faults of a partner or third-party
vendor) as well. Imagine an example where a third-party weakness is
found that allows a bad actor to get into a network and cause
measurable harm. A CISO will, more likely than not, be held
accountable for this security failure.

Worse still, are the outliers: like the story of the Uber CISO
participating in a data breach cover-up. A breach looks bad enough for
a company, but a cover-up can destroy an entire company’s reputation.

The CISO in highly regulated industries

It is difficult to talk about a CISO’s role without also mentioning
compliance. A CISO is often responsible for monitoring regulatory
compliance for whatever industry they operate in. No matter the
regulatory standards in place, adherence to the compliance standards
is expected. And this responsibility falls to the CISOs and they are
expected to handle it all—from making sure the third-party vendors are
granted proper privileges to educating employees on the nuances of
phishing emails.

What CISOs can do

Because the CISO role is often on the chopping block in order to send
a message after a public data breach, a CISO should act to preempt and
anticipate failures in IT security.

- Transparency is key: If a CISO finds out about a data breach or
ransomware attack, it’s their duty to be upfront and honest about it.
This move can save an organization’s reputation and a CISOs job.
- Reporting: Accurate, comprehensive, and consistent reporting of
vulnerabilities are key. The size of the possible vulnerability should
not matter, rather, anything and everything should be reported.
The right solutions and tools: This comes in many different forms,
whether it be the IT team or the secure remote access platform used,
CISOs must be aware of the tools and solutions they’re using. The
wrong tools could be the difference between an 18-month tenure and a
life-long job.
- Open approach: In this case, honesty is the best policy. An open
approach can aid in the prevention and detection of a data breach.

A CISO should never feel alone in their quest to keep their company
safe. To learn more about the importance of implementing the right
tools to have a full cybersecurity platform that keeps your company
(and your job) safe, check out our helpful brochure about implementing
a standardized vendor management platform.