The Top 3 Challenges for CISOs
Ever since the position emerged more than a decade ago, the CISO role has been a difficult one. CISOs are responsible for an objective that they can never guarantee with 100 percent certainty: securing the organization. CISOs don’t receive kudos when a week goes by without a cyber incident. But the minute there’s a breach, the CISO is inevitably the scapegoat – and usually the first person a company kicks to the curb. As David Jordan, the CISO for Arlington County in Virginia, told the New York Times: “We’re like sheep waiting to be slaughtered. We all know what our fate is when there’s a significant breach.” It’s no wonder that the CISO is often cited as the most thankless position in the C-Suite.
The CISO role only continues to grow in complexity. From ever-evolving security threats to increased regulatory requirements, CISOs are faced with a barrage of stressful problems that would drive even a buddhist monk batty. CISOs are always juggling an array of challenges. Here are the top three on their to-do lists.
1. The Expanding Attack Surface
Once upon a time, CISOs only had to worry about securing computer networks. But in recent years, a growing number of office devices are being connected to the Internet – thermostats, sprinkler systems, coffee machines, etc. Collectively, this burgeoning constellation of connected devices is known as the “Internet of Things” (IoT). Making matters more complicated is the concurrent rise of the bring-your-own-device (BYOD) movement. As employees increasingly opt to bring their own devices to the office, and more of those BYOD devices are connected to the Internet, every business’s attack surface expands exponentially (or to put it in mathematical terms: IoT x BYOD = many more attack vectors). Hackers have more access points than ever to infiltrate a company’s network. All organizations need to be concerned about IoT. The stakes are even higher for businesses selling products and services that rely on Internet-connected machines.
The emergence of IoT and BYOD has CISOs crying out SOS as they struggle to secure a slew of new digital devices. But by taking a few proper precautions, CISOs can plug any gaping holes in their organization’s attack surface. First, CISOs need to carefully map their organization’s IoT connections. Second, they need to be directly involved in device acquisition decisions in all departments within the enterprise. Finally, CISOs must establish clear BYOD policies and actually hold employees accountable for their actions. Ultimately, IoT and BYOD are radically reshaping the role of the CISO, who must ultimately take the lead in tackling these growing security issues.
2. The Cybersecurity Skills Shortage
Cyber talent is tough to find. There is a chronic shortage of individuals in the labor market that have the skills to succeed in cybersecurity positions. According to a study by ESG and ISSA, 70 percent of cybersecurity professionals say that this skills gap has had an impact on their organization. These cyber professionals say the skills deficit has led to an increased workload on existing employees, high rates of employee burnout and attrition, and cybersecurity teams spending most of their time dealing with emergencies and very little time on proactive strategic planning. This skills shortage puts a particular strain on CISOs, who have to manage many of these problems.
The cyber skills gap has made it very difficult for businesses to attract and retain top talent. Nearly half of all cybersecurity professionals say they are solicited to consider other jobs by recruiters at least once per week. Cybersecurity specialists have no shortage of job options, so companies need to be creative when building their cyber workforce. A lot of businesses rely solely on compensation to attract and retain cybersecurity talent. But compensation should only be one part of your recruiting plan. Organizations often overpay for outside cyber talent, when they would be better off investing in training for existing employees. Companies also need to create clear career pathways and provide ongoing professional development for their cybersecurity team members. Workers that can envision a future for themselves, and feel valued and encouraged, are less likely to leave when a tempting job offer comes their way.
3. New Regulations
Over the past few years, there has been a significant increase in the amount of new legislation and regulations regarding cybersecurity. A series of big, headline-making breaches have led legislators and regulators to crack down on companies for their deficient data practices. Complicating matters further, shifts in the legal and regulatory environment are happening at all levels of government: state, national, and international. This makes it quite challenging for CISOs to keep up with the seemingly endless number of new regulatory requirements.
Perhaps the most significant recent regulation is GDPR – a piece of legislation that strikes fear into the heart of every CISO. GDPR has been called called “the most important change in data privacy regulation in 20 years.” This landmark legislation sets strict rules for how companies collect and store all kinds of customer data. Organizations that fail to comply with GDPR face massive fines.
GDPR just went into effect in May 2018. For the past two years, CISOs have been scrambling to prepare for this radical regulatory overhaul. But their work is far from finished. CISOs will have to continue to closely monitor their organization’s compliance – carefully tracking data privacy requirements on their cyber risk dashboards – to stay on the right side of regulators.
N2K is Here To Help
N2K has a deep well of expertise on all of these cyber challenges. Check out our Resolve program to see how our Cyber Risk Seminars and Deep-Dive Executive Cybersecurity Sessions can help your organization tackle your toughest security problems. Additionally, be sure to take a look at our training programs to learn how you can keep your people engaged and focused on doing their jobs better, instead of trying to find a higher paying position.