The CISO role has changed, and CISOs need to change with it
What is a CISO today? We don’t have to go too far back to a time when they were part of the IT team, directing IT staff and planning cybersecurity defenses. Though vital work, CISOs previously were not part of upper management and left little impact on the core business. The ever-increasing risk of a cybersecurity breach, and the spiraling cost of cleaning up afterwards, has changed this.
Today, many CISOs sit on the board of directors, the C in their title reflected in a new C-suite status. As no modern business can operate without IT infrastructure, their contributions are as key as the CFO or COO.
The CISO may have more power, but this comes with greater responsibility. Every piece of research into the current threat landscape seems to paint a grimmer picture than the last. The CrowdStrike 2022 Global Threat Report shows an 82% increase in both data leaks and ransomware attacks compared with last year. The IBM/Ponemon Cost of a Data Breach Report estimates that the cleanup costs of a cybersecurity breach is, on average, $3.8 million. Cyber attacks are becoming more sophisticated, more common, more destructive–and the CISO is ultimately held accountable for any defensive missteps against current and emerging risks.
When this is coupled with the ongoing shortage of security professionals, it’s no surprise that stress is taking its toll. One study found that 59% of CISOs report high levels of stress, and 48% are contending with burnout. To survive in their evolved roles, CISOs need focus. By investing time and resources in key areas—building loyalty, tackling legacy systems, and creating a culture focused on security—they can both protect their organizations and lower their stress levels.
Building loyalty and skills
CISOs looking to hire skilled cybersecurity staff are competing with every other CISO looking to do the same. Right now, most cybersecurity professionals can choose where they want to work, and command incredibly high salaries thanks to a lack of supply and a lot of demand. Trying to compete with this is going to be stressful, especially for CISOs—increasingly, they have greater authority over budgets, but also the responsibility to spend effectively. This control is of little use if everyone they can find to hire is too expensive.
What’s the alternative? Smart CISOs will look internally, at employees who are perhaps not yet highly skilled cybersecurity professionals, or they might not even work in IT. With the right training and support, they could be eased into critical new cybersecurity roles. After all, not every cybersecurity role is a technical one.
For roles that do benefit from solid technical prowess, especially at the code level, many businesses have an untapped resource—their developer community. With a genuine understanding of how computers operate and hands-on experience working with code, many are in a prime position to upskill, learn secure coding techniques and share the responsibility for security. By appointing select security-aware developers as “champions”, this will reduce the burden on CISOs to maintain security with limited AppSec personnel.
CISOs should also consider non-traditional candidates for upskilling: entry-level IT workers may be hobbyists with more experience than one might expect. Military veterans often have many of the soft and hard skills necessary to develop cybersecurity skills. Experts in physical security may be able to transfer their noses for suspicious activity to the online world.
Looking internally is also good for morale and loyalty. The company acquires new cybersecurity skills, and the employee begins a whole new lucrative career. The loyalty gained from investing in upskilling shouldn’t be underestimated.
Dealing with legacy systems
The security advice to patch systems and keep them up to date is not always as simple as it’s presented. Very few businesses are starting from zero. Many have established infrastructure, including legacy equipment, frameworks and tools that have become deeply integrated into their operations. Ripping out and replacing isn’t a simple option, if it is an option at all. Some are still making use of COBOL, a language over 60 years old and most of its experts retired—so updating these systems is not straightforward. CISOs are charged with protecting and maintaining those applications alongside the most modern applications running in hybrid clouds and using modern frameworks.
Cybercriminals are smart. They almost always look for the weakest link when trying to infiltrate a network or steal data – and those old frameworks, applications and infrastructures are often preferred targets. CISOs know that they have security gaps but lack the time and resources to solve the problem efficiently.
Smart CISOs need to work with their security teams to develop a maintenance plan for all legacy software. If possible, external access should be removed entirely, however, it’s vital that teams are educated in security best practices for all live programming languages through hands-on training techniques and courses. When legacy languages receive adequate security support alongside the newest technologies, nothing gets left behind.
Creating a security-first culture
Perhaps the best way to improve security—and make the CISO’s job a little easier—is not reliant on technology. A change in culture is the best way to truly create an organization where security is top of mind. CISOs, part of upper management, but also part of the security team, are uniquely positioned to lead this change – both with other leaders and those they lead.
A security-first culture requires embedding security in everything a business does. Developers should be enabled to create secure code that is free from vulnerabilities and resistant to attacks as soon as it is written, as opposed to being a consideration much later in the SDLC. Designated security champions from the developer ranks should lead this charge, acting as both coach and cheerleader. This approach means that security is not being mandated from above, but part of the team’s DNA and backed up by management.
This cannot be an overnight change, and may be met with resistance. But the threat landscape is too complex, too advanced and too ubiquitous for any one person or even a small team to handle alone. Every employee needs to actively work towards better security, no matter their role—only then will an organization have a real chance of avoiding costly breaches and downtime.
CISOs today may feel like they have been handed a poisoned chalice, a job that is almost impossible despite increased influence, respect and inclusion. Legacy technology, unfilled security roles and cybercriminals that have never been so professional or prolific have stacked the deck against them.
However, by investing in existing staff, providing the right training, getting to grips with legacy applications and—most of all—creating a security-first culture and mindset, CISOs can thrive while creating real changes to their organization.
