Learn how today's security leaders are adapting to new challenges.
It’s well known by now that cyber attacks and successful breaches have exploded in recent years. Accenture’s latest report on the state of cybersecurity notes that companies experience an average of 270 attacks per year. And Gartner warns that nearly half of organizations worldwide will experience an attack on their digital supply chains.
To understand their risk and develop strategies against these attacks, C-suites and Boards of Directors are looking at CISOs (Chief Information Security Officers) to give them answers. Not only do these leaders expect CISOs to manage their company’s internal risk, but make sure that the right people and technologies are in place to support all kinds of cybersecurity initiatives.
But in recent years, the role of the CISO has rapidly evolved. Today, Gartner calls CISOs, “burnt out, overworked, and always on.” CISOs juggle a variety of responsibilities to improve and maintain their company’s cybersecurity posture.
What is a Modern CISO?
At the highest level, a CISO is a senior-level executive who is accountable for the overall security posture of the organization. They manage information security, cybersecurity budgets, and risk and compliance activities, while also being responsible for explaining those complex concepts to the rest of the executive team. Where a traditional CISO was a technical influencer, a modern CISO serves as a business influencer who translates cyber risk to business risk.
A CISO is a problem solver, a leader, and a strategic thinker. Today, they shape and influence risk decisions to enhance cybersecurity posture. They are heavily involved in building out a full information security program, ensuring that:
- Sensitive data and information stays secure.
- Data is always accurate.
- Hardware and software systems are maintained properly.
CISO Responsibility #1: Security Risk & Compliance
A CISO’s top priority revolves around security risk and compliance. At the core, these responsibilities work to comply with government regulations and requirements, while also moving beyond simply “checking a box” to manage security risk proactively. In general, a CISO looks at three different areas:
Cybersecurity Legal Compliance & Government Regulations
Given all the major incidents in recent years, it’s no surprise that regulators are increasingly focused on cybersecurity. Earlier this year, President Bident signed law legislation requiring companies to disclose incidents to the government within days. And, the US Securities and Exchange Commission (SEC) began considering new regulations that require companies to disclosure aspects of their cybersecurity program including risks, governance, and incidents.
Compliance goes beyond US government regulations. For example, businesses in the healthcare sector must comply with HIPAA security and data protection regulations. Regional standards such as DORA regulations in the UK need to be followed. It is the responsibility of the CISO to know all the legal compliance and government regulations that apply to their organization and make sure their cybersecurity program follows them.
Cybersecurity Awareness Training
Any good CISO knows that cybersecurity is everyone’s responsibility. 82% of breaches involve a human element, according to Verizon’s latest data breach investigations report. And, over half of breaches used remote access or web applications. Especially now that many workforces are distributed between different offices and work-from-anywhere options, CISOs need to have routine awareness training for all employees to stay on top of the latest risks, as well as reminders of how to spot common phishing techniques and best practices for passwords.
Security Performance Monitoring
An important aspect of risk management and compliance is establishing security performance monitoring to ensure that controls function as they are meant to. Think of it as a heart rate monitor for cyber risk; continuously monitoring cybersecurity posture lets CISOs keep a constant check on risk levels, and act quickly whenever something looks amiss. A CISO understands their company’s risk appetite, and monitors performance against it.
CISO Responsibility #2: Technical Security Operations
While security risk and compliance tends to lean more towards strategic and programmatic activities, CISOs also oversee the more day-to-day technical activities of the security team. While they may not be directly involved in the execution of these activities, it is certainly their responsibility to ensure that technical security operations run smoothly and their teams have the right tools they need to get the job done.
System and organization control (SOC) standards give CISOs insight into the effectiveness of their internal controls and safeguards. There are 3 types of SOC reports for CISOs to leverage to make sure they can assess internal controls at a point in time or over a period of time. While this blog won’t dig into the specifics of each type of SOC report, CISOs need to ensure their teams follow what is needed for the type of compliance most important to their organization, including running vulnerability scans, penetration tests, and web application security risk assessments.
Vendor Lifecycle Management
CISOs know that managing outside vendors effectively has a major impact on operational efficiency across the digital footprint. From assessing and onboarding new vendors to monitoring current ones, CISOs need to manage vendors throughout the lifecycle. After all, half of businesses have suffered a data breach caused by a third party.
CISO Responsibility #3: Reporting & Communicating Cybersecurity Performance to Internal Stakeholders
Not long ago, a board of directors would meet once or twice a year to be briefed on cybersecurity. Now, senior executives and board members have greater urgency around understanding cybersecurity programs, with CISOs as their catalyst. Not only are these conversations centered around the company’s level of risk, but they also fuel discussions around program strategy and budgets.
The importance of cyber risk governance and oversight is increasing as board members, regulators, and other stakeholders seek to gain better visibility into the security programs. CISOs need to be prepared to not only speak to cybersecurity posture, programs, and strategies, but to speak effectively. CISOs need to convey security risks in business terms, present solutions, and provide actionable insights backed by data.
BitSight put together a guide to reporting to the board specifically for CISOs. You can read it here.
Cyber Risk Quantification
Boards are more focused on the ROI of security spending than ever. Not only do they want to see results, they want to see results related to business outcomes. Cyber Risk Quantification (CRQ) introduces a universal language across business leaders by using financial impacts as a way to communicate cyber risk and decision-making. CISOs leverage CRQ to inform cybersecurity investments using financial outcomes to justify decisions, create more understanding of cyber risk, and solidify budgets.
Ready to get started with CRQ? Here are 3 steps CISOs can use to get rolling.
The Future of the CISO
There’s no doubt about it: The role of the CISO has changed dramatically since the start of the pandemic, and it’s only going to continue evolving. As Boards and the C-suite continue to push for transparency and trust in cybersecurity programs, CISOs are uniquely positioned to bring true value to the business in making the right decisions.