The job of a chief information security officer, or CISO, is in many ways like that of other CXOs. Like their CXO peers, a CISO will have a strategic agenda that is aligned with that of the business. Within that agenda, a CISO will also have specific priorities, often strategic in nature and aligned with the business’s overarching priorities, as is common at the CXO level. And like other CXOs, a CISO will often need to put out fires that flare up from somewhere within their purview.
But this is where a CISO’s job begins to look noticeably different from that of other CXOs. Because many of the fires CISOs deal with result from deliberate, conscious, and often coordinated attacks by threat actors. These fires can have the potential to pose an existential threat to the business.
And even if the CISO is not personally responsible for directly combatting cyber attacks, there is no doubt that the buck stops at the CISO’s desk. With a business reporting on average 206 to 270 attacks per year, the bucks are piling up. The constant threats and attacks create an X factor — a situational variable that can greatly impact the outcome — in the CISO’s job. CISOs therefore take a practical and highly focused approach to setting certain operational priorities. Let’s look at how some of those play out.
Protect the data
One of the first operational priorities is simply “Protect the Data.” This is most often centered around having a security framework with specific characteristics. The blocking and tackling for the framework is in the form of formal written policies and standards. These documents both guide employees and comprise operations playbooks. To supplement the documents and reinforce the security mindset, it’s important to have regular, high-quality security training. If the training can be tailored to job roles, so much the better.
Technology being the bedrock of cybersecurity, protecting the data means evaluating partners and products related to data protection. This is vital because cyber attacks on businesses evolve constantly, with a new threat appearing, on average, every 24 minutes. Therefore, protective measures and solutions change frequently too. The CISO must stay ahead of the solutions curve because protecting the data requires having the expertise to both accurately evaluate risk and determine how to limit company exposure to that risk.
Respond to incidents
Because we know that hackers are not slowing the pace of their attacks, it’s no surprise that a CISO’s operational priorities include responding to incidents. As with protecting the data, formal documentation is key. This can take forms such as creating and evaluating an incident response plan (IRP) through desktop exercises. These plans specify post-incident actions required not only of IT staff but of every position that is needed in a real incident — lawyers, the CFO, the PIO, the Risk Officer, etc.
How a company prepares for and responds to incidents depends in part on the board’s risk appetite. Because they are at the CXO level — 61% of surveyed CISOs said they report to the full board — CISOs interact with the board in many ways, and gauging risk appetite is key. CISOs also typically inform the board of potential high-impact issues and offer guidance on policies associated with IT security.
Be in compliance
This operational priority is often shared by other departments. For CISOs, it includes compliance with government regulations around data protection, data privacy, data integrity, and related issues. But it also means, for example, ensuring that data protection and cybersecurity measures meet customer contractual terms and complying with industry standards that must be met for certifications. This is not a trivial challenge, given that, on average, 39% of security technologies used by organizations are considered outdated.
Being in compliance is an operational priority for CISOs and not only because it strengthens an organization’s ability to protect its data and respond to incidents. Compliance is also critical because failures have significant consequences, such as large fines, legal ramifications, and loss of customer trust or damage to a company’s reputation.
Trends in CISO priorities
The cyber threat landscape changes daily, but there are trends that can point to where priorities are headed in the near term. A recent Venturebeat article draws on insights from Forrester in advising CISOs to prepare for three specific challenges. One is consolidating their organizations’ tech stacks. CISOs can see this as an extension of “protect the data.” As the economy changes, CISOs should also be prepared to defend their budgets. This can add to the list of ways CISOs interact with the board.
The third priority, and one that will not likely disappear from the top three priorities any time soon, is reducing risk. Identifying which security technologies deliver the most value and defining spending guardrails is imperative.