What keeps CISOs up at night? And where should CISOs focus to bring value to the business? How should priorities shift given the proliferation of cyberattacks that threaten to disrupt businesses worldwide?
To help cut through some of the noise, we partnered with Redmond Magazine to convene leading CISOs in a discussion about the most critical aspects of the role. The panel included:
- Chris Roberts, Hacker in Residence at Semperis and session moderator
- Limor Kessem, CISO, CISM & Executive Security Advisor at IBM Security
- James Azar, CISO at Confidential
- Evan Francen, Co-Founder at FRSecure and CEO at SecurityStudio
Several tactical takeaways for current and aspiring security leaders emerged from the discussion. But these three points rose to the surface.
Establish your seat at the C-suite table
Now that CISOs are taking their relatively new place among the C-suite, they need to acquire a different set of skills in order to engage effectively with business leaders and stakeholders.
As Kessem pointed out, despite having a C-level title, the CISO still often reports downstream and isn’t well represented in the chain. Talking to business leadership starts by ensuring the CISO is recognized: “First of all, have a seat with executives and with board members. Make sure that there is a seat there for the CISO.”
Gaining recognition from business leadership also means finding the intersection where the business world meets security.
- How do security threats translate into downtime, costs, or damage to the stock price? Discuss what the security team is doing in these terms and what resources they need to accomplish their goals.
- How do security goals align with business goals? The CISO can benefit from thinking like a salesperson at all times and making security a business enabler rather than just an expense. Can better security increase margins or ensure success on a specific revenue stream? In business terms, every expenditure of effort needs to provide value. Just protecting against loss isn’t enough.
- What language resonates with your particular organization, CEO, or board? Not all boards speak the same language. The CISO needs to establish relationships with each decision-maker, ensure there’s trust between them, and understand what concerns are top of mind with each individual.
Our panel agreed that CISOs—and aspiring CISOs—can benefit from understanding business even before tackling security. Taking a business MBA class or training on the role of the CTO, CFO, and CEO can help you understand their challenges and be more successful in your own role.
Put people before tools
Finding the balance between tools and technologies and the human aspect of security is another challenge for CISOs.
According to our panel, companies tend to still think of security as something they can buy. However, teams are beginning to suffer from tool exhaustion. CISOs need to take a critical look at how many tools they have, and how many they’re actually using. How can you apply tools you already have to additional uses?
According to Francen, the best piece of advice he ever got when he was very early into his career was: “The people who can secure their stuff better are the people who intimately know their stuff.”
While we need technology to enable our teams, complexity is the enemy. Simplifying technology is how CISOs get buy-in and make good security habits ingrained in the company culture.
Take—and propagate—accountability
Our panel unanimously agreed that more accountability—for each practitioner and the cybersecurity community as a whole—can move the needle in the battle against malicious attackers.
Azar articulated it well: “There are responsible voices that want to do good … And yet there are a bunch of voices out there creating FUD, misinformation/disinformation, creating challenges. And unfortunately, what ends up happening is people don’t know who to listen to.”
Ultimately, there’s some question about accountability today. Where does it lie? With the CISO/buyer? With the industry? Who exactly is the most knowledgeable and trustworthy?
The upside of recent high-profile attacks against companies like SolarWinds, Cyberpunk 2077 developer CD Projekt, and the Oldsmar, Florida water treatment facility is that they’ve made core cybersecurity issues visible and brought more accountability across the board. These incidents bring the conversation to the forefront, but CISOs need to ensure it stays there.
As our panel discussed, CISOs are responsible for asking more questions, sharing more, and helping cash-strapped public works and infrastructure companies improve their security. We need an industry movement to help those organizations because cyberattacks can happen to any entity, and we need more collaboration instead of finger-pointing.
These three themes persisted throughout the remainder of the debate, where the CISO panel addressed questions such as “What would you do in your first weeks on the job as a new CISO?,” “Is there such thing as a perimeter anymore?,” and “Where should practitioners invest time now to get ready to be CISOs in 2022 and beyond?”
If you have some of these same questions, watch the full discussion here. Related to this discussion, Chris Roberts shared thoughts on why Active Directory is the CISO’s Achilles heel with Security Magazine.