The role of the chief information security officer – or CISO for short – is to understand a corporation’s cyber threat landscape and know where vulnerabilities lie. And given the relentless increase in sophisticated hacking, their clout and importance to the CEO and Board is increasing exponentially. Given COVID-19, as millions of American white-collar workers have moved from the office to their home to work remotely and stay in touch with colleagues solely online, it has been CISOs who have been charged with making sure this eruption of new endpoints isn’t compromising corporate network security.
CISOs have evolved from a human cost center to a critical protector of the lifeblood of the corporation – the workforce. Conversations in the C-Suite about the impact of the first pandemic in a century quickly focused on the uncompromising reality that a remote, digitally-powered workforce was the only way many companies could continue to operate.
CISOs’ new-found power is unlikely to fade anytime soon. In addition to the pandemic, the drizzle of sophisticated hacking episodes have grown to a hammering torrent of constant zero-day exploits and phishing and ransomware attacks. Combined with dependence on weakly secured Internet of Things (IoT) devices and security concerns in ubiquitous mobile devices, the Internet age sometimes seems like the source of never-ending war.
What CISOs are doing is to continue their strategic value to the CEO and corporation. Below are some “must-dos” that are suggestions for CISOS that have arisen from my firm’s Global Cyber Innovation Summit CISO Digital Exchange, a regular discussion I host among CISOs.
Understand new technologies. CISOs must keep up with current technology trends, not only to stay vigilant and innovative but also to take advantage of powerful new tools in artificial intelligence (AI) and machine learning as well as expanding IoT and 5G capabilities.
Curb technobabble. Some CISOs are technical performers-turned managers who focus too much on the “nuts and bolts” of security instead of overall risk management and related business outcomes. The CEO and board members want the technical skills, but they also want to make security as cost-effective and well-targeted as possible. The National Association for Corporate Directors provides specific guidance that states that “cybersecurity is an enterprise-wide risk management issue, not just an IT issue.”
Be alert to regulations. As lawmakers pass legislation and new threats emerge, CISOs must take into account that regulations change frequently. In the wake of the European-based General Data Protection Regulation (GDPR), which in 2018 substantially increased the protection of consumer data, more governments at all levels and in widespread geographies, including California, are following suit.
Develop your team. The shortage of skilled cybersecurity personnel keeps growing. Surveys show only 15 percent plan to stay in their current roles (and even the average tenure of a CISO is a scant 26 months). This means a CISO must be a receptive leader who responds to employee needs and encourages their development to drive down attrition. The CISO is only as strong as the team they lead and continuity is essential to effectiveness.
Pay attention to third party vendors. CISOs and their reports too often fall down on the job in keeping tabs on third-party vendors, which are ubiquitous at big companies and yet often are not required to follow strict guidelines in interfacing digitally with their customers. No surprise, then, that these vendors are often the conduit for a cyberattack in their customers’ businesses. Third-party software vendors are even bigger security headaches.