What do CISOs care about and why cyber security is not just their responsibility
Security is as strong as the weakest link.
For businesses and organisations today, there’s plenty of potential cyber security weak links to worry about.
For example, there’s the increasing move to edge computing which expands the attack surface. The company network and datastore are no longer kept with a single central perimeter - the castle-and-moat model.
With companies utilising multiple clouds, remote working, mobile devices, working from home, human errors and IoT (Internet of Things) devices, for example, there are many more endpoints and potential weak links for hackers to exploit.
The pandemic has intensified the CISO’s role dramatically, but the buck still stops with them.
In this article, we’ll look at the top concerns for CISOs and how all employees have a responsibility for cyber security.
Top concerns for Chief Information Officers (CISO’s).
Cyber security challenges are continuously changing and increasing, and of course in 2020 businesses had to enable remote working overnight, arguably without planning or preparation.
This meant CISOs had to:
- Button-down security on the go.
- Deal with new emerging threats.
- Ensure business continuity.
- Deal with multiple systems, networks, devices, programs, processes and apps.
Let’s dip our toes into the ebb and flow of the river of cyber security and review some of the primary issues CISOs must navigate.
Growing frequency of cyber attacks.
Probably the top concern for CISOs – cyber attacks are increasing hugely.
Off-the-shelf hacking tools enable less technical criminals to enter the world of cyber crime, plus there’s the attraction of potentially big money to be made and plenty of sensitive data to highjack.
The current climate of working from home, edge computing, multiple perimeters to secure, etc. encourages cyber attacks further.
Expansion in attack opportunities.
The increase in companies hosting their data in multiple clouds, a new culture of remote and distributed working, the growth of IoT (Internet of Things) devices – all help to expand the potential attacks surface as data is stored, managed and processed from many sources.
Cloud services vulnerabilities.
Multi-cloud environments can present new challenges for CISOs.
Misconfigured cloud servers, insecure APIs, employees downloading insecure public SaaS (software as a service) tools – all increase an organisation’s vulnerabilities which, in turn, increases the cyber security workload.
Scarcity of cyber security expertise and experience.
A good cyber security team, however big or small, can be the best form of defence against hackers. But the global demand for IT security professionals has outstripped supply. This, in turn, means a CISO and his team can be stretched thin making it harder to manage cyber risks effectively.
Lack of buy-in from company directors.
Boards and CISOs often speak different languages and are from different backgrounds. The CISO is surrounded daily by technical concepts, jargon and acronyms that will often mean nothing to the board. So, it can be tricky to convey threats, risks and opportunities in a way that’s meaningful to board members.
At the same time, CISOs are increasingly having to step out of the (virtual and physical) server room and into the boardroom. These days, a good CISO needs excellent business strategy, operations and risks knowledge in addition to their traditional technical know-how.
It’s often difficult to show clear returns on cyber security investments, compared to other departments’ budget requests. This makes it hard for CISOs to secure essential larger budgets. It’s even tougher for smaller organisations’ budgets, potentially leaving them more vulnerable to cyber threats.
Need for wider cyber security awareness.
People are the weakest link in the network security chain. For example, it just takes one mouse click for an employee to fall for a phishing scam that invites malware into the company’s network.
Companies and CISOs need to create a security culture as part of the broader corporate culture. Each employee needs to almost be their own CISO. They need to be aware of their day-to-day cyber security duties and responsibilities. They need to understand their role in preventing attacks.
This takes nurturing, training and time. It takes impactful company-wide cyber security structures and policies to be in place.
This nicely leads into a further word about responsibilities.
Cyber security responsibilities.
While the CISO will have high-level expertise and experience, all employees have a role to play in cyber security.
As said above, people can be the weakest link in the cyber security chain.
Conversely, cyber security in the workplace is significantly enhanced when all employees understand its importance and know exactly what to do – and not to do – to maintain security.
As mentioned earlier, the current climate of working from home and employees using their own devices for work tasks create further cyber security challenges. It’s incredibly difficult, if not impossible, for an IT department, even in a small company, to secure everyone’s mobile devices, home laptops, etc.
Hence the emphasis on staff taking some degree of responsibility for their corner of the company's digital perimeter.
Hopefully, this article has given a helpful insight into priorities for CISOs and why cyber security isn’t just their responsibility.
This article has come from part of our research that has uncovered some key findings that every UK CISO will want to know. We will be hosting a hybrid, interactive event that will be broadcast on the 15th October, 3:30 pm from a studio in London, UK to a live audience of CISOs and CTOs - Bluefort Live