Today's CISOs are under attack from many directions, both inside and outside of their organizations. To be sure, there are many malicious actors using new and more sophisticated exploitation techniques to infiltrate networks. However, they are also facing criticism internally.
There are countless requirements for today's Chief Information Security Officers. Staying up-to-date with the introduction of new technology and protection measures, but also improving the skills and morale of your staff, and above all, providing greater leadership and accountability to reduce overall compliance. It is also important to bear the burden. Risks and Liability.
according to Forrester's Recent Security Program Recommendations Report“The eyes of the world are on CISOs, and not in a good way. There is now a long list of sacrificial CISOs who have been fired or resigned due to disagreements with their companies.”
Navigating what comes next won't be easy, but here are five takeaways from Forrester's analysis that may help you identify a path to success.
Empathy can rebuild trust after a breach
Forrester analyst Heidi Hsieh wrote in a recent paper that one of the consequences of continued attacks on corporate networks is a decline in trust, especially among customers and business partners. Report on the brand impact of privacy lapses.
She recommends that CISOs conduct critical examinations of both cybersecurity and privacy risks across their operations, including their ecosystem of partners and suppliers. Because, as she writes, “robust privacy oversight, practices, and accountability structures provide the foundation for developing new products and services.” Support use. ”
However, CISOs should understand the concerns of suppliers, partners, and customers about the damage a breach can cause, regardless of whose fault the incident is ultimately, and demonstrate empathy and support through prompt post-breach notification. We also need to be transparent.
“There is a tendency to self-preserve after a breach, and it makes sense to keep information private even after the incident is over,” said Max Shier, CISO at Optiv. “However, cybersecurity professionals, especially his CISOs, need to ensure that as much information as possible is shared to help others learn from this event.”
Speak up when you make a mistake
As part of this rebuilding of trust, CISOs need to come clean, take responsibility when problems arise, and actively work with various stakeholders to resolve them.
One of Forrester's suggestions is to “practice radical candor with key constituencies and executives.” In other words, ask the hard questions and work toward agreement.
“Having transparency, understanding, and keeping lines of communication open will help the entire supply chain deal with the event, even if something breaks down the line,” Scheier said. To tell. “This is key to building a resilient supply chain, but it is also important that we help each other during and after the event, as there are ripple effects up and down the supply chain.”
CISOs cannot afford to ignore data breach liability: Reports from companies Top 35 breaches worldwide in 2023 According to research, organizations paid approximately $2.6 billion in fines for 1.5 billion records compromised, with nearly half of the breaches occurring in the public sector and healthcare industries. This list included breaches at many of the world's largest telecommunications providers. All but one of the top 35 breaches occurred in the European Union and the United States.
Operational transparency: It’s not just about PR
Additionally, transparency needs to be a natural part of a CISO's strategy, not just something that is invoked in a post-breach situation. As Forrester analysts pointed out, part of the motivation is compliance.
“Regulators are calling for greater transparency,” they write. “They try to make things easier by using the threat of legal action to incentivize security leaders to act in the best interest of their customers and themselves. Lack of transparency and resulting in violations of the law, breaches of trust, and ongoing problems.'' Transparency Theater. In other words, do what you say you're going to do with your data. ”
somewhere else Report issued earlier this monthForrester analysts also advise security managers to “never sign your name to third-party risk assessments, underwriting documents, or regulatory compliance certifications that obscure or hide program or product flaws.” I'm giving advice.
In general, CISOs should “involve as many stakeholders as possible to understand where the problem occurred to ensure that the root cause is resolved and to identify other issues that may have been overlooked.” We need to be aware of it and be proactive about fixing it,” says Shire. . “This is especially true now that CISOs are increasingly being held personally responsible for problems that can result from corporate negligence and for persistent, known, and unmitigated security issues. ”
Pay more attention to improving staff skills
CISOs also face the challenge of keeping their staff updated on new technologies, new threats, and new prevention methods.
“Security is a moving target and the landscape is changing very quickly,” says Lisa Rokusek, a recruiter at her St. Louis-based agency, Rokusekrecruits.com. “Many companies have a terrible track record when it comes to developing and retaining internal talent. That's very short-sighted.”
Invest more in better upskilling programs moving forward, says Forrester analyst Jess Byrne. In his report on this subject he wrote:. “The lack of employees with security skills has been a significant challenge for many organizations,” he said. “Investing in technology rather than training will only widen the skills gap as practitioners struggle to learn new tools and improve proficiency in key areas.”
Understand context while embracing new technology
When it comes to implementing new technologies, such as generative AI, it is almost inevitable that CISOs will get caught up in the hype cycle at some point. However, when it comes to new platforms, it's important to keep a cool head and think carefully about the data privacy risks and security benefits.
“The cybersecurity industry, like any other industry, falls prey to the hype,” Shire said. “AI, zero trust, and security platforms immediately come to mind. A CISO's job is to weigh risks and benefits, scrutinize marketing language, and strike the right balance between both risks and benefits while enabling the business. Especially if AI truly changes the world, for better or worse, and the need for implementation is so strong, this is a simple decision, as otherwise your business could quickly become irrelevant. It's work.”
As Forrester analysts noted with features like ChatGPT, organizations need to “prioritize utility over flash, recognize the limitations of AI, and understand its impact” on an organization's infrastructure, data, and operations. there is.
Another example is going passwordless. Forrester recommends that businesses move to better authentication methods, such as passwordless, to prevent future attacks. However, this isn't something her CISO can just flip a switch on.
“At 80,000 feet, this is all true. We've needed something better than passwords for a long time,” said Phil Dunkelberger, CEO of Nok Nok, a longtime authentication vendor. says. “Here's the problem: As our customers begin to deploy passwordless solutions, we find that the devil is in the details. Every industry has its own security needs and its own regulatory requirements. There are obligations and of course the platforms are very different.”
