How Not to Be a Crisis CISO
Share with Your Network
Businesses have been under historical stress the last two years as global events have dealt blow after devastating blow. And perhaps no office has felt these stresses more acutely than the CISO.
Unprecedented attacks, increasingly complex environments, expanding perimeters, blame culture, challenging stakeholders, friction between Security and IT, data overwhelm, and shortcomings inherent to traditional vulnerability management strategies can spread CISOs thin. Instead of investing their valuable time in efforts that lower risk to the business, they’re putting out fires and managing from one crisis to the next. This scenario is rife with trouble, setting CISOs up for failure from the get-go and leaving organizations one crisis away from complete disruption.
Worse, they reinforce destructive status quos, leading stakeholders outside of Security and IT (and ignorant of how cybersecurity protections actually work) to automatically blame CISOs for any problem or concern related to cybersecurity.
While specific industries are feeling the effects of heightened cybersecurity threats and remote workforce challenges more than others, CISOs across the board are reporting burnout and stress at record levels. A 2021 ClubCISO report revealed that over the last year, stress levels worsened for 64% of CISOs with 21% reporting “significant” stress. And with an average term of 1.5-2 years, it’s no wonder business and security leaders are reassessing their approach to the CISO role
A crisis CISO vs. a future-ready CISO
One way CISOs can improve on those numbers is to move away from managing crises and toward managing risk. The reality is that exploits and hacks will continue to happen. And as the world settles into this new norm of cyber threats, the word “crisis” itself is taking on a new connotation. What was once a memorably catastrophic event that rocked operations is becoming one of the countless speed bumps—events security leaders will need to navigate in the span of a typical work week.
CISOs looking to outmaneuver these threats—and outlast the pressures that come with owning cybersecurity for an enterprise under persistent assault—would do well to take a more strategic and proactive role in reducing business risk. How? By cutting through the noise and distractions of traditional security approaches, aligning teams around risk, managing stakeholder perceptions and expectations, and unifying the organization to better support security efforts.
It’s a challenging task, but the alternative—short, stressful tenures marked by one crisis after another—is anything but tenable.
4 ways to increase CISO resilience
To help break down this multi-pronged effort and make it achievable, here are four approaches to consider.
- Establish a network of risk-aligned allies. Making the case for a modern, risk-based approach to security operations is the first critical step in removing the title of a crisis CISO. Framing your security conversations around business risk will help non-security people understand the importance of understanding the true risk a threat or vulnerability poses to the organization specifically. Rallying as many influential figures as possible around data-driven, predictive risk prioritization and threat management will help optimize resources, drive down the most risk, and set the stage for future security efforts.
- Simplify (and democratize) your security operations. Security has evolved into a company-wide sport. With human error accounting for a large number of data breaches, the need for more comprehensive, user-friendly, and intelligent security solutions is at an all-time high. Leaders in enterprise management solutions are making significant strides in bridging together once highly complex and disparate pieces of security operations for easier and faster decision making. And simpler, self-service security technology removes the need for gatekeepers and invites more people across the organization to become active participants in maintaining the cyber hygiene of the organization.
- Get Security and IT on the same page. Traditional vulnerability management approaches often give way to inefficient processes and poor relationships between Security and IT, draining resources, pitting the teams against each other, and leaving risk levels effectively stagnant. Risk-based vulnerability management solutions offer evidence-backed fix lists with baked-in contextual data, ensuring that remediation teams are working together to target the vulnerabilities that pose the biggest risk to their organization. Risk scores, which instantly communicate the level of risk posed by a specific vulnerability or facing a set of assets, workgroup, or the enterprise as a whole, make it easy for teams to rally around reducing risk. The trickle-down effect is that both teams feel ready to tackle the next threat with increased confidence and collaboration.
- Communicate clearly, concisely, and consistently. Security updates and information shouldn’t be contained in annual training pushes or board reports. With more emerging risk-based champions, the need for regular communication increases. Weaving cybersecurity conversations into ongoing corporate dialogue will help bring others into the fold, educate them on why risk management matters, instill a sense of shared investment, and combat blame culture. When a “crisis” does occur, confident and educated workers and leadership are more likely to be familiar with what’s happening and trust the CISO to do their job.
Behind every resilient CISO is a risk-aligned organization
Stepping back to look at each of these approaches as a whole, a common thread emerges: Empowering the CISO role and elevating it above the minutia of traditional security operations is a team effort. Shifting from a reactive, resource-draining security stance to a proactive and streamlined one takes cross-departmental and leadership support. Increasing cybersecurity literacy and participation, while keeping risk at the center of the conversation, helps change perspectives and expectations and holds the organization at large accountable for the future of its own cyber health.
So, when a crisis occurs—and it will—the CISO is set up for success from jump.
Ready to evolve your security operations? Download your copy of How to Implement Risk-Based Vulnerability Management Now.