[BreachExchange] Three tips for modernizing the CISO in 2021

Thu Apr 29 10:37:59 EDT 2021

https://www.scmagazine.com/perspectives/three-tips-for-modernizing-the-ciso-in-2021/

During the height of the pandemic last year, the CISO took on new
prominence within organizations. Increased security risks and hasty
technology rollouts resulted in a greater chance of exposure to breaches
and leaks. CISOs were forced to respond by quickly instituting measures to
maintain business continuity and protect against new cyberthreats. Still,
at many organizations, the crucial executive role of the CISO reports to
the CIO.

Unfortunately, CIOs often have ground to cover when it comes to truly
understanding security risk factors and the tools, budget, and personnel
needed to mitigate them. As a result, CISOs often find themselves in a
weaker position when it comes to getting the resources and approvals they
need. With the average tenure of a CISO lasting about two years or less
because of the growing stress that comes with the job, CISOs must balance
the stress by focusing on the value they’re providing to their business.

I strongly believe that for security to improve, companies need to take the
following steps to elevate the role of the CISO:

Make the CISO equal to the CIO.
Rather than having the CISO report to the CIO as many organizations do
today, the two should operate as equal counterparts. CISOs and CIOs must
work closely together to ensure that developments and rollouts are secure.
There’s nothing that slows down the product development cycle more than
when crucial security measures are ignored, forcing developers to backtrack
and delay delivery. When the CISO and CIO work in tandem as equals, the
organization will take security  just as seriously as IT, development, and
technology rollouts.

A recent KPMG CIO Survey found that 44% of CIOs and technology leaders
expect significant changes to come to their products, service offerings, or
even their business model in the next few years. CISOs and security teams
need to support, not hinder, this business change. It’s important that
security professionals think of themselves as risk managers that help
direct and inform the business on taking on the risks that allow the
company to meet their overall goals. Together, the CIO and CISO can ensure
both parts of the business are striving toward the larger goal of a secure
digital transformation.

Shift organizational strategy and mentality.
With rising insider risks, an expanded threat landscape, and a remote or
hybrid workforce, companies must take today’s security realities into
account when setting an organization’s strategy. As a security leader, we
don’t want to place overly aggressive security controls on everything.
Today, for example, more than half (51%) of IT security leaders receive
daily or weekly complaints about blocking employees’ legitimate work and
file activity – an indication that blocking activities probably have gone
too far. Try to tune the right level of security for the organization.
Balance what the board, CEO and customers want and, at the same time, match
the culture of the organization.

In a lot of cases, security leaders promote their own security risk posture
ideals versus trying to truly understand the acceptable risk posture of the
organization. But with the support of the CIO, a CISO can understand the
ins and outs of the technology and tools rolled out to employees, and
ensure that the tools are secure for a productive, collaborative culture.

Help the CISO become a powerful change agent.
CISOs should deliver regular reports and presentations to the board about
the overall risk to the business. Security has become a business-wide
challenge today and companies should not ignore security or leave it out of
board-level conversations. By empowering the CISO to take part in, and
lead, these important discussions, they have the power to make essential
changes. This can relate to the overall security strategy and budget, the
way the security team works more closely with IT prior to technology
deployments, or the trainings that are given to the entire organization.

A successful CISO has a clear understanding of their business, what the
company delivers and where the company delivers it. Once the CISO
understands the company’s operating parameters and develops a strong
relationship with the CEO, the board and other important decision-makers,
CISOs arrive at a really favorable position.

CISOs are consistently called “students of the business” and I’m a strong
believer that we not only need to hone our technical expertise, but must
constantly learn about the business. As the role of the CISO has changed
and been elevated in the past year, we need to ensure we keep the trust
we’ve earned in our organizations. Security has become a business-wide,
board-level priority – it’s no longer an afterthought. CISOs must continue
making security a priority, voicing our opinions, and pushing for the
budgets and assets we need. It’s all possible when the CISO and CIO are
fully aligned, equal, and committed to securing their organization.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210429/7e7fe60a/attachment.html>