Is your organization equipped to handle the ever-changing issue of cybersecurity? It’s an issue that used to primarily affect the corporate juggernauts among us, but those days are gone. Now, companies of all sizes must invest to defend against threats that become more widespread and commonplace by the day, fueled in large part by our pandemic-era remote work environment. As the cybersecurity landscape continues to evolve, so does the role of the Chief Information Security Officer (CISO). To gain a better understanding of topics and trends that are front of mind in the cyberworld today, we spoke with CISOs at some of the country’s most prestigious companies to uncover emerging trends and find out what they recommend to bolster cybersecurity efforts. The greatest tool of all—and a common thread in the six trends outlined below—might just be simple, human communication.
Effective Board & Executive Team Communications are Critical
Building and sustaining good relationships with boards and committees is more critical than ever, and it can be a big consumer of time and focus for many CISOs. Discussions around cybersecurity have spiked among company leadership as the threat of ransomware attacks increases. This phenomenon spans many industries, including some deemed to be part of critical infrastructure. No matter the industry, top leaders agree that ransomware is a frightening prospect—some CISOs report that their boards and executive teams are quite simply “freaking out” and are turning to CISOs for more frequent and proactive updates on how they are proactively monitoring and mitigating risks for their organization.
A proper risk management approach is key in these situations. It’s critical to quantify risks and put them in easy-to-digest business terms that will resonate with boards and business leaders. All organizations are unique, so CISOs should tailor their communications to the composition and interests of boards and executive teams. Regardless of what you say, crisp communications based on data and analytics—expressed early and often in clear terms of business and risk—are essential.
Security Risks are Increasingly Impacting Supply Chains
The risk to organizations is only expanding due to vulnerabilities within their supply chains. Look no further than the attack on SolarWinds to reinforce the reality of how vulnerable interconnected supply chains can be. As a result, CISOs are now engaging supply chain and procurement professionals more proactively to discuss governance and policy procedures. To mitigate supply chain risks, CISOs are assessing and recommending policies that ensure a more redundant and resilient set of suppliers so that there is a playbook in place should any one of the businesses’ suppliers become disabled due to a security attack.
Furthermore, CISOs must broaden their purview beyond just direct vendors with which they have relationships while also mitigating risks across their full vendor and supplier ecosystem—this is a necessity, as those risks can ultimately spread to the company’s clients, posing an even more significant threat. And when it comes time to communicate supply chain problems to the board, strong business and financial acumen combined with cross-functional relationship building skills will always come in handy.
Remote Work and Digitization Have an Extensive Impact
We all have experienced the lasting impact of COVID on the workplace to some degree. Chief among the effects was the swift move to a remote workforce and increased digitization of business processes, which necessitated a change to security policies and a move to cloud environments. These changes resulted in significant investments for many organizations that were not prepared to appropriately service and secure a fully remote workforce.
CISOs would do well to document a full list of risks—including stolen credentials, ransomware, and more—and the capacity of stakeholders to engage. They shouldn’t be afraid to get more creative and innovative in evaluating ways to drive efficiencies in their programs. The more CISOs can plan for the risks that accompany our new remote landscape of work, the more business operations will be enabled to run with minimal or no disruption, putting the ROI value of the security team in the spotlight.
Broader Organizational Influence & Impact are Needed
It’s not realistic or feasible for CISOs and their information security teams to be the only ones addressing security concerns. Education and evangelizing, including the development of other promoters or “champions” of security, is important to drive higher levels of awareness and improved security hygiene.
The bottom line here is that CISOs need to be good at sales and influencing, including the development of their own teams’ capabilities in these critical areas. For example, the deployment of internal training programs or cybersecurity awareness testing can go a long way in shoring up security. IT and technical staff rarely cause cyberattacks themselves, so CISOs should look to educate their organization’s weakest links (i.e., the least knowledgeable employees) to make the most of these initiatives. Frequent training and testing are critical to ensure all employees—regardless of role—understand potential risks and threats.
Team Building & Development Remain Challenging
Attracting and retaining top tech and information security talent continues to be an ongoing challenge. Increasing demands and the expansion of roles and responsibilities are causing many teams to become overwhelmed and stretched thin. A vital requirement of CISOs today is the ability to effectively build, lead, and inspire their teams to feel empowered while learning and growing throughout the course of their careers.
There’s a war being waged to secure top talent, and CISOs can arm themselves by thinking more creatively about talent management, including drawing talent from alternative pools to meet the evolving needs of their organization. Hard skills can be learned along the way, but it’s important to find people who are dedicated, reliable, personable, detail-oriented, and continually interested in honing their abilities. Soft skills are equally or more important than hard skills in this field of work—the latter can easily be taught, but the former often cannot.
Career pathing and development are becoming increasingly important to avoid burnout and turnover. CISOs are tasked with identifying opportunities to automate the more traditional and mundane tasks—like system monitoring and incident response—and transitioning people into security architect-type roles and career paths that are known to be far more engaging and motivating. Leading CISOs are not only focused on present team dynamics but are also keeping a line of sight on ensuring they are effectively developing the next generation of CISOs. In our discussions, we discovered a consensus that many current deputies to CISOs struggle to develop the critical soft skills noted above. While we don’t know exactly why that is, we have a few ideas. Many InfoSec practitioners are introverted by nature, so soft skills need to be prioritized and coached up by CISOs. Positive behaviors can be learned, so leading by example to show them how it’s done and bringing others along to gain as much experience as possible can make a difference.
Career Trajectories are Evolving
Many CISOs are not inclined to simply “rinse and repeat” in CISO positions at bigger, newer, or more diverse organizations. With the CISO role rising in visibility with a broader scope and increased expectations, the path toward becoming a CIO or CTO has emerged as a more viable career option. In our discussions with multiple CISOs, one diverging path that we noticed was an increased interest in startup or early-stage companies, with many CISOs opting to work in more market-facing or general management-oriented roles within the cybersecurity vendor community rather than owning security within an enterprise. Reasons for this pivot vary, ranging from the opportunity to try something new and different, to burnout from the demands of the CISO role, to the potential upside opportunity afforded to senior leaders in venture capital or private equity sponsored companies.
A Final Word
We’ve seen that in today’s complex cybersecurity environment, a CISO has a lot more to consider than just the latest technology and basic security protocols. To ensure success, CISOs need to cultivate a business mindset to ensure they’re ready to effectively interact with boards and executives. Even in the face of cyberattacks and data leaks, CISOs need polished presentation and communication skills to get their ideas across to employees and leadership alike, fostering engagement along the way.
By harnessing the power of simple communication, CISOs stand to market and sell their ideas to leadership and create better, more fulfilling career paths for their staff. No matter which of these trends you find yourself tangling with, remember not to get lost in the weeds and try not to strive for perfection. A little human interaction will take us far as we tackle cybersecurity challenges ahead.