In today’s fast-paced and ever-evolving technological landscape, the role of the CISO, or Chief Information Security Officer, whilst relatively new to the corporate hierarchy, is not only increasingly important, but more complex than ever before. Here, Fran Grant, Consultant in Berwick Partners Technology practice, highlights the top challenges for CISOs in the current climate.
CISO – a rapidly evolving role
The CISO - an exec-level individual responsible for developing and deploying an information security programme that consists of policies and procedures designed to protect an organisation from internal and external data security threats. To meet their key goals of protecting an organisation’s information and assets, CISOs are taking on a broader range of responsibilities to cover cybersecurity response, information security and data privacy.
The rise and importance of the CISO role
Information security has never been more critical to businesses, with the rising wave of cyber-attacks, and hackers becoming ever more sophisticated and persistent.
Despite many technological advances, businesses today operate in world full of risk, and the challenges for CISOs continue to rise. Overhauling the approach to security, tackling ongoing threats, and ensuring uninterrupted business operations, requires both a strategic and a technological approach.
What make a great CISO?
The role of the CISO requires an innate blend of leadership proficiency, business skills, strategy planning and tech savviness. It requires both thinking and doing. CISOs are strong leaders and collaborators who maintain their technical agility and expertise, nurturing a deep and wide knowledge of information systems, security, and threats.
They boast exceptional communication skills, cutting the fluff and losing the jargon, translating security concepts into business context, and explaining issues or plans in clear terms. They are adept at communicating technical issues to both a technical and non-technical audience.
CISO’s are committed to continually refreshing and updating their knowledge of relevant industry regulations, standards, and compliance, as well as related technologies.
Key challenges for CISOs
Due to the fast pace of technological advances and a widespread increase in hacking and security breaches, CISOs are facing challenges that are more varied and more complex than ever before, from outsider threats to internal challenges such as budget approval, staff retention and stakeholder communication. Here we’ll look at some of the key challenges taking priority at present:
1. Hybrid / home working
As many businesses are continuing to work with a remote or hybrid workforce, everyday network and endpoint connections that once acted as an efficient frontline defence are no longer sufficient. Employees are working from home or public places using multiple personal or public Wi-Fi networks, often on a variety of personal devices, presenting countless security gaps. With this in mind, securing remote working conditions will remain a major challenge for CISOs.
2. Growing frequency of attacks
The increasing number of cyberattacks is one of the main concerns for CISOs. Attacks are often not isolated attempts and are rigorous and relentless.
3. Increasing sophistication of attacks
In addition to frequency, hackers are continually developing more sophisticated tools and techniques which constantly challenge security measures and breach defences. Groups or individuals termed APTs (Advanced Persistent Threats) have the knowledge and tools to infiltrate and breach the most robust network defences.
4. Increasing prominence of IoT
The emergence of the IoT (Internet of Things) and its expanded capabilities brings additional security threats, with every IoT-enabled device and its subsequent cloud storage opening the door for potential security risks.
5. Quantum Computing
Although Quantum Computing is still relatively immature, advancements at Google and IBM have suggested that standard RSA encryption will no longer be secure by the end of this decade, potentially sooner. It’s been suggested that security experts start planning immediately for a post-quantum future (source: www.silentbreach.com).
Phishing emails continue to be the most common and most successful way in for attackers, with more people still falling prey to hackers posing as legitimate third-party vendors.
7. Skills gap / talent shortage
As the pandemic has catapulted us further into a digital-first world, the need for security professionals has increased in greater proportion than the available supply of talent. According to uktech.news urgent training is needed to boost a scarce UK cybersecurity talent pool. Prolonged searches for talent can draw CISOs away from their critical day-to-day responsibilities, and the great resignation means organisations are having to work harder to retain the talent they do have.
8. Under-investment, budget constraints, and lack of business buy-in
A common headache for CISOs is getting the business buy-in they need in order to be successful in their role. Many non-technical or non-security educated people fail to realise the importance of security initiatives which can lead to problems with funding. Like insurance, not everyone sees a critical need for it until something disastrous happens, for example a data breach, which is not only extremely damaging to the business but financially costly.
9. Human error
Simple human errors are the most common reasons for security weaknesses, from employees working on non-secure devices, internal leaks or sharing of sensitive data, to individuals falling for phishing scams. CISOs have an ongoing battle to educate, train and reinforce the importance of security initiatives, to reduce the likelihood of human error.
10. Rapid software development
With many organisations adopting agile methodologies and encouraging development teams to adopt a ‘continuous improvement’ approach, software development lifecycles are indeed speedier, but less secure. CISOs face an ongoing battle where, in the rush to release, security can often be an afterthought.
11. Bridging the intelligence-operations gap
We’ve noted before that the CISO is often the newest member when it comes to C-suite leadership teams, and they face the challenge of reporting on certain issues that are often overlooked or misunderstood. With a good understanding of the business and its operations as a whole, a successful CISO has the ability to engage other members of the SLT, drawing their attention to and educating them on the importance of the security strategy. With the relentless pace of change with technologies, CISOs face the ongoing task of educating not only themselves, but their security teams, stakeholders, and the wider business, providing clear and useful data, and a comprehensive security overview, which often requires translation to bridge the gap in language and understanding.
To conclude, there are a great many requirements that are all important to the overall success of a solid CISO today, and it will be interesting to see what challenges lay in wait in the months to come.
Fran Grant is a Consultant in our IT & Digital Leadership Practice specialising in recruiting Senior Technology and Digital professionals in Retail, Retail FS, Leisure and Hospitality, with a UK wide remit.
Category: Technology Recruitment