Cyber security attacks have evolved from nerdy kid’s ego satisfaction acts to serious cyber crimes like ransomware. Also, the ever-growing use of mobility and IoT devices to perform business activities is spreading the attack vector drastically.
These are multiple reasons cyber security has become part of the boardroom discussions.To protect the businesses and nations economy, governing regulatory bodies are mandating stringent regulatory requirements with heavy penalty including the prison sentence.
We’re in the stone age of cyber security. Real learning will only come after the 1st major incident.
Dr. Christopher Frei, Secretary General of World Energy Council
The emerging role of CISO
The need for alignment of cyber security with business by reducing the risks and protecting business data and organization reputation, compliance to the regulatory requirements, has created the need for C suite executive specific to cyber security.
It is mandatory to comply with the regulatory requirements that have created the need for C-suite executive specific to cyber security. This role is Chief Information Security Officer (CISO)
Expectations from CISO
CISO‘s role has evolved from primarily focused on the implementation and management of security control technology (firewall, IDS/IPS, AV solutions, etc.) to a consultative, business process aware, risk management professional.
CISO’s are expected to change the organizational view of security from technical controls to risk-based, process oriented cyber security protection. The CISO is likely to take part in the business strategy meetings to provide the view from Security, risk and compliance perspective for new business initiatives.
How CISO’s role relates to other organizational functions?
What C-suite executives are interested, is knowing “Are we managing risk adequately?”. CISO should be able to speak to these executives in business language and explain how the risk management program is working with the deep perspective on risks, and how to enable the business while minimizing those risks.
To implement the successful risk-based approach, CISO needs to develop strong relationships with IT infrastructure teams and other business units (BUs) within an organization. CISO also should approach these BUs in a consultative manner to offer guidance.
The CISO should possess persuasion skills to get cyber security budget approved by relating it to the cybersecurity risks and impact of those on business.
Top Five Challenges CISO Faces Every Day
The CISO’s are facing a lot of tough challenges while managing all these above expectations.These challenges are described next paragraphs
- Cyber Security Attacks
With the proliferation of Mobility and IoT devices, the cyber security attack vector is increasing. Attackers and attack patterns are becoming more and more aggressive and at the same time subtle to identify.
Attacks are equipped with latest technologies and are causing more damage to business. It is becoming difficult to identify the attacks and assign the risk to mitigate it because attackers may be within the organization network long enough to manipulate the security monitoring patterns from normal behavior to the exceptions.
The cyber attackers and criminals who are always few steps ahead of the cyber security professional that keeps CISOs awake at night.
Identifying the cyber security threats, detecting the attacks and mitigating it before damage is done to the business is the first and biggest challenge CISO’s are facing today.
- User Experience
To be competitive in the market, businesses are making enterprise applications available on the mobile platform to employees as well as consumers. The security team will not have any control on devices or the connection used for accessing business data.
Tight security controls could fall in favor of security team but will definitely hamper the end user experience as users will have to go through Login screens, multi-factor authentication, additional VPN connectivity. Security policies like device encryption, changing password at regular frequency may act as a burden to the end users.
CISO have to walk the tightrope when it comes to balancing between security and user experience.
- Hiring Skilled resources
In day to day, environment security monitoring is like the eyeball on the screen. This becomes monotones and hence security professionals are on the move for the different environment and new experiences. There is always a scarcity of skilled and experienced security professional in the market.
The Security Analyst requires having, knowledge of the ever-changing technologies, awareness of attack dynamics and skills like persistence, problem identification, root cause analysis. Apart from this security professional should have an understanding of IT Infrastructure and business requirements.
Above two reasons keep CISO always on their toes to retain and hire the best available talent in the market.
- Involvement in Strategic Initiative
In 80% of organizations, the security organizational structure is buried in the several layers of IT, reporting of CISO to CIO and not directly to CEO can isolate security from the other areas of business.
The 2016 survey conducted by Deloitte on CISO’s strategic role reveals that more than 70% of C-suite executives do not think CISOs are part of organizations leadership teams. This is the main reason CISOs are not involved in the early stages of business strategy and planning. Once the strategy is defined CSIO is called for identifying the risks and expected to develop the mitigation plan. This may result in security to be compromised by keeping it to bare metal or bloat the project cost to mitigate identified risks
The CISOs may face the headwind from the business program leaders as they do not see the value of security beyond the traditional functions and considers security cost as an additional burden eating away profits.
CISO should establish close working relations with other C-suite executives and program leaders to drive the business strategies from the risk perspective.
Getting involved early in the business planning, convincing and including risk management as a part strategy is another tough challenge modern CISOs are facing
- Keeping up with disruptive technologies
Technological advancement in Mobility and IoT is adding lots of security weak links due to nonstandard devices, unknown data sharing. The cloud hosting is another challenge from the data protection perspective.
The challenge imposed by the mobility and cloud-like disruptive technologies is far broader than simply addressing one issue such as securing mobile devices or securing cloud computing environments. CISOs have to consider an end to end perspective from the business angle, consumer experience and risk profile of the application.
Managing all above aspects and balancing security risk and budget is another great challenge CISO’s are facing today.
The CISO’s job is very demanding and at the same time challenging. The job is not limited to the specialty in cybersecurity controls area but it is spilling to the strategic level. The business level skills, academic degrees in business along with the Cybersecurity specialization may make CISO thrive. Continued training and professional certifications is another important way CISO can keep up with the above challenges.
Working in collaboration with C-suite executives at strategy level and security analyst at an operational level is another most important skill CISO should acquire to balance between making business happy and reducing risks.
CISO role is skyrocketing with power and great responsibility; so be prepared to enjoy it.