The role of the Chief Information Security Officer (CISO) has evolved into a strategically critical—and stress-inducing—role. As the old saying goes, security chiefs must be right 100% of the time, while cyber-attackers seeking to create operational or financial chaos only need to be right, or lucky, once.
Digital transformation and the rapid increase in remote and hybrid workforces have expanded the threat surfaces for many, if not most, organizations. As a result, boards of directors are increasingly focused on the role of cybersecurity, elevating the role and responsibilities of CISOs.
The Register recently reported on a survey of security executives who said that securing the remote workforce is the top stressor on the job. Almost half of those surveyed said it’s impossible to stop every threat, yet that is the expectation. Adding to the stress, 43% say they’re expected to always be on call, and 40% “cite both inadequate existing security stack and insufficient SecOps staff.”
Today’s reality is that the bad guys are racing at full speed while the good guys are playing catch-up.
The CISO’s perspective
For more insight into the changing nature of the CISO role, I recently sat down with Jim Hillier, a 30-year veteran of information security who currently serves as Director and Principal Advisor, Security at Rimini Street.
Jim has served across both public and private sectors and in the roles of CTO, CIO, and CISO in the public and private sectors. He has spearheaded teams of more than 100 professionals responsible for optimizing security, technology, and business functions from daily operations to policy implementation. Through his experience, he has a deep and insightful perspective on the responsibilities and challenges of today’s security chiefs.
As Jim points out, many criminal hackers are well-funded, some are even state-sponsored organizations. Some are utilizing ransomware proceeds to fund a new business model that Jim equates to a “new mafia.”
When attacked, organizations must quickly assess everybody affected and what their state or country requires for notification and response, which in some cases may require offering ongoing credit monitoring. In addition, says Jim, CISOs should have an instant response plan ready and funding to support investigations, forensic accounting, and data preservation.
“It’s like a crime scene – evidence has to be preserved,” he adds. “At the same time, you’ve got to be up and running and keeping the business going.” Today’s CISO must know what employees and third-party providers to immediately alert and mobilize for the incident response. For example:
- do you know who to contact at the FBI?
- what state-level officials do you need to engage with?
- who is your insurer and what are the details of your insurance policy?
- how do contact your legal counsel?
Board-level advice and consultation
CISOs must have clear insight into board-level strategy of how to respond to incidents. In the case of a ransomware attack, what is the organization’s posture on paying a ransom in hopes for regaining access to data? “You don’t want to go to your board and have that conversation while you’re trying to fight the fire,” says Jim.
Many CISOs may be relatively new to their current positions and potentially scrambling to respond to an attack. According to a survey by search firm Marlin Hawk, “53% of global CISOs have been in their current role for two years or less, meaning they assumed a new position during the COVID-19 pandemic.”
Jim urges CISOs to view themselves as advisors to CIOs and boards of directors in helping them assess their risk appetite. “You can’t protect everything 100%,” he explains. “There’s a dollar figure associated with that, and that funding usually comes from the board.”
You may also like:
- Read: CISO’s Guide to the Future of Security
- Solution: Managed Security Services
Looking for thought-provoking, educational content? Check out Street Wise, your one-stop shop for authoritative articles, interviews, blogs, and more from industry leaders on today’s hottest topics.