The Cybersecurity Crucible: Unsung CISO Struggles Under Fire

The chief information security officer has an enormous amount of responsibility. They are accountable for the entire organization's security across its geographical and virtual footprint, day and night. Streamlining a company’s many tasks during cyber-attacks is difficult, even for the most experienced CISOs. Additional factors, such as the high demand and low supply of skilled cybersecurity workers and the requirement to keep within budget, exacerbate the many functions, making the CISO’s position daunting.  

When a malicious attack breaches a company, the CISO bears the burden of blame all too often. It’s no wonder the average CISO lasts about two and a half years. Regarding phishing attacks, CISOs simply cannot control every worker’s actions, and the fate of the entire company should not rest on one worker innocently clicking on a malicious link. A company faces fundamentally severe issues if its cybersecurity posture depends on an individual avoiding clicking a link. 

Malicious links are one thing, but there are even more alarming issues. For instance, due to ‘Citrix Bleed,’ a vulnerability that occurred in October 2023 and affected single-sign-on access across many organizations worldwide, disruptions to water utility companies, the bond market, and financial transactions have occurred. There was even an instance where ambulance services were diverted from hospitals. 

Related:How CISOs Can Contend With Increasing Scrutiny from Regulators

Following relentless cyber-attacks in recent years, which have become daily mainstream media headlines and warnings from security agencies such as the UK’s National Cyber Security Centre (NCSC), company directors and board members realize that the question they need to ask themselves is not ‘if’ but ‘when’ a bad actor will compromise their organization. 

Cybercriminals are highly proficient and operate full-time, often in organized teams of contract players that bring together diverse, complementary skill sets. Cybercrime is a well-run enterprise; the World Economic Forum states “that the damages incurred by all forms of cybercrime, including the cost of recovery and remediation, totaled $3 trillion in 2015, $6 trillion in 2021, and could reach $10.5 trillion annually by 2025.” If cybercrime were a country, it would have the third-largest economy after the US and China. 

Heavy Is the Head That Wears the Crown 

CISOs certainly have enormous responsibilities and can’t guarantee the organization's protection on their own. Not even the best IT teams are capable of protecting organizations. Their workload is heavy enough, and they can’t be expected to have staff with the proper training or know-how to protect tech and manage it. 

Related:A New Era for CISOs: Navigating Regulations and Unprecedented Threats

How can the board support a CISO to strengthen organization-wide resilience? And how can a CISO lean on the board without worrying about job security whenever a board member reads about another ransomware attack? Ideally, someone on the board -- or someone who advises the board -- is needed to understand the current threats, manage them, and square the financial and reputational costs of an attack with the investments made in cybersecurity. 

The first step to helping boards and CISOs work together on defense is to examine the language of cybersecurity. Technical teams, non-technical senior managers, and directors often speak different languages. CISOs requesting funds must explain the benefits of a risk-based security strategy; board members must understand these dangers and prioritize resources with other concerns such as skills shortages, supply chain issues, and investment in new technology. 

For CISOs and boards to work effectively together when dealing with cybercrime, there are five critical questions that the board can ask: 

1. How do they measure the maturity of the information and cybersecurity in the organization? It should align with the United States’ National Institute of Standards and Technology (NIST) or the UK’s NCSC Cyber Assessment Framework (CAF). And it’s best to focus on unifying language, not scoring themselves against each scale. 

Related:To Catch a Cybercriminal -- and the Fallout That Follows

2. Have they tried implementing controls for a while but need help justifying the budget? Then, relate this to the maturity assessment for the area affected by the lack of control. It might help to bring in a specialist external cybersecurity company to assess the organization’s security posture and maturity at this stage. 

3. Can they show statistics on cybersecurity incidents and cyber-attacks on the organization? All organizations are under a near-constant attack from automated tools, many from targeted or manual attacks. The CISO should be able to show how they are defending the organization and learning how to do it better and more efficiently. 

4. Would they benefit from a business-focused stakeholder? If yes, they could be assigned a business mentor from the board. A business mentor ensures that the CISO doesn’t merely try to defend the organization but enables it to thrive. 

5. Are they using the investment they’ve already made in products, services, and licenses wisely and to the maximum extent? Many organizations only use a fraction of these. 

In essence, a CISO, backed by the board, can significantly benefit an organization. They can provide a security roadmap, create a security culture and mindset, build security into new IT projects, ensure resources are best used, and, over time, reduce costs. Don’t let a language barrier become an entry point for bad actors to exploit.