Despite the increasing number of cyber attacks in recent years, CISOs still struggle to gain traction when building and advocating their security programs. While they are tasked with protecting the business from data theft or compromise, CISOs often find that they don’t have the requisite level of authority or backing to implement an effective cyber security program. With this dynamic, it can be incredibly difficult to foster an environment where information security is at the forefront of operations, and the CISOs can ultimately find themselves blamed for higher risk exposure.
This article will consider some of common struggles that CISOs face when trying to gain traction in their organization and how to effectively overcome these blockers.
Inconsistent or Unusual Reporting Structures Cause Confusion
These days, finding the appropriate position for a CISO in a company’s organization structure can be a challenge. While CISOs have “Chief” in their title, in some corporate structures the decision is made that this role is not “Chief” enough to report directly to the CEO like the rest of the C- level executives. Some businesses put the CISO under the CFO, potentially a reflection of the misconception by some that information security is a sunk cost. In that view, it makes sense to have the CFO oversee cyber operations to manage costs. Others will put the CISO under the CIO or CTO since they view cyber security as a subset of the larger IT division. And finally, there are those organizations who have accepted the view that cyber security is and should be integrated into operations. In these organizations, the CISO reports to the COO.
While there is no “best” arrangement that applies to every business, it’s easy to see that this unclear vision of the CISO’s place can result in confusion both on the part of the CISO and on those who try to understand his or her role and authority. This confusion trickles down the corporate structure. The result in some cases is that that users may see an executive who is two or three levels away from the top as not being worth listening to. Additionally, if a business unit’s aligned C-level executive is administratively higher on the totem pole than the CISO, they may decide that they can ignore the CISO’s direction.
To combat problematic placement in the organization’s hierarchy, CISOs should garner support both from their own leadership and from their peers, rather than trying to push forward with a program that is only run on their own merit. Before attempting to make any headway with the business on a new or difficult security initiative, CISOs should present their plans to the Board, CEO, and their peers, and gain their buy-in before taking it to the rest of the organization. This way, any pushback from the business can be overcome by the backing of the entire leadership team.
Cyber Security Programs Perceived as Cost- and Resource-Expensive
Every CISO knows that to build effective security, there must be sufficient funding. Unfortunately, there are many business leaders who view cyber security as a “necessary evil” which consumes resources and budget allocations that could otherwise be used to grow the business. This view can permeate all the way to the top– resulting in a CISO who is struggle to run an effective cyber security program with insufficient resources.
Obtaining sufficient funding for security initiatives is tricky, but not impossible. When presenting the security plan and budget, a CISO should represent risks as they affect the business, not how they affect systems. For example, saying “We need a new patch management system to better protect the servers” is a weak argument that will be met with doubt and hesitation. Instead, frame the risk in the context of business impact. “An improvement to our patching systems will result in $XX cost savings by avoiding data loss caused by preventable attacks” is a much stronger pitch that addresses the bottom line rather than technical solutions. If your business is publicly-traded, you could go one step further and discuss how this program can contribute to stable value for shareholders by helping prevent the potential reputational damage caused by a data breach.
Past Failures Hinder Future Initiatives
The uncomfortable truth is that there’s no such thing as a bulletproof defense, and even the most secure organization can be the victim of a security incident. Business leaders not well-informed on the reality of cyber security may view these “failures” as evidence that the CISO is unreliable and not worth listening to when he or she rolls out a new security project. These sorts of incidents can shake the trust that the rest of the business has in the security team.
To combat a lack of support caused by past problems, a CISO needs to demonstrate leadership through issue ownership, effective communication, and detailed analysis of incidents. Consider the message that is sent to the business by saying “Here is the how the issue happened, here is how we contained the damage, and here is how we’re going to prevent it going forward” versus “We’re not quite sure what happened but we’re doing our best to look into it.” The second statement can be perceived as a lack of awareness and concern, while the first reflects a leader who is on top of the problem and can be relied upon. An organization will much more readily support a CISO who lays out a clear path forward.
As security breaches become more commonplace in today’s digital ecosystem, CISOs may have obstacles to overcome while trying to push forward with his plans and initiatives. Uncomfortable reporting structures, cost-focused thinking, and dwelling on the past are common roadblocks to progress, which make it difficult for security executives to gain traction. CISOs who can overcome these issues by developing smart strategies and gaining support in the right places will quickly be on their way to implementing an effective security program.
Fears of a CISO: Keeping Up in the Cat-and-Mouse Game
Fears of a CISO: Lack of Security Education
Fears of a CISO: Keeping the Business Operational
Fears of a CISO: The Hidden Costs of an Attack
Click below to learn more about Teramind.
Editor’s Note: The writer’s opinions expressed in this guest article are those of the contributor, and do not necessarily reflect those of IT Security Central and Teramind Co.