By Matt Moore
The role of CISO is a tough one. The organization’s top security executive must juggle a myriad of challenges from getting security buy-in at the board level, finding appropriate funding, and working to identify and retain talented security professionals, all the while preparing for the next big breach. But though the CISO’s goal to achieving a holistic cybersecurity model (and inner peace) may be a rough road to travel, there is a road map to success if you can master these skills.
Define your priorities
The first step for many organizations is to take a look at who they are and where their priorities lie. CISOs, and the rest of the executive team, should decide whether providing cybersecurity services internally is a core part of their business.
In some cases, top executives will determine that building their own security team is the right approach, because of unique security needs or security regulations in their industry. But many companies will decide that building a full internal cybersecurity team is not in their wheelhouse. As such, some CISOs may outsource all of their cybersecurity functions to a security specialist, while others may decide to supplement internal teams by outsourcing only some functions. Either way, the first step is to take a look at their business and determine whether building an internal security team is a critical need and to what extent.
Organizations should be honest about who they are as a company – what their purpose and focus is. If they choose to build, they need to hire their own security staff – spend the money, hire the people, and dedicate the resources necessary for success. If not, they should be clear and clinical about what they’re going to outsource, and where they’re going to get that support.
Most CISOs today are comfortable with either an in-house approach or an outsourced approach. The challenge is in attempting to do both at the same time. With a hybrid approach, there are blurred lines of responsibility, with crossover between the in-house team and the outsourcing vendor. Hybrid approaches can lead to complexities of ownership and responsibilities, with the KPIs of each team being called into question. There is potential for a lot of conflict, but it can work if the contract terms and operational processes are well defined.
Find the A-team
One reason to consider outsourcing security services is the difficulty that exists in finding and retaining qualified cybersecurity professionals. Today, there are far more cybersecurity job openings than there are qualified people to fill them. According to Cybersecurity Ventures, there will be 3.5 million unfilled cybersecurity jobs globally by the end of 2021, up from 1 million positions in 2014.
Small companies in particular may struggle to find and retain talented, let alone, affordable cybersecurity staff. In addition, these small companies trying to operate their own cybersecurity teams may be attempting to cover a 24-hour, seven-day-a-week operation with a handful of employees. In these situations, when a cybersecurity team member has to mitigate a steady stream of security alerts in the wee hours of a weekend, burnout is imminent.
Alternately, while some professionals might enjoy the tight-knit relationships that they can build with business leaders and executives in smaller organizations, others may find small companies don’t provide the challenge they crave. Those staff are more likely to want to go somewhere where they can thwart the bad guy.
Talk to the board
One skill that has become critical to the CISO role is communication, particularly with the C-Suite and boards of directors. In too many cases, there is still a disconnect between the language that the CISO uses to describe his or her challenges and the language the other executives understand.
While many CISOs have excelled as respected and strategic business leaders, in some cases, they still find it challenging to clearly connect their security-specific priorities to the performance of other areas in the business in a way that really hits home with the other members of the C-Suite. CISOs outside of the financial industry, for example, need to be able to link an event that shuts a business-critical system down and disrupts operations to the overall impact on earnings per share.
Create a holistic security model
Whether they’re doing it themselves or relying on outsourcing providers, organizations should aim for a well-rounded cybersecurity program. Without a holistic approach, there is a very real risk of not being able to respond to threats before they’ve already done significant damage.
A comprehensive cybersecurity model includes security tools such as threat detection, enterprise security monitoring, device management, a security operation center, application firewalls, and vulnerability management. Some cybersecurity vendors offer these tools as managed services and work with you as a partner to see your threat landscape more clearly – and yes, lighten your workload.
Two more recent tools that fit nicely into this model are managed detection and response (MDR), and security orchestration, automation, and response (SOAR). MDR can bring automation tools to the fight against cybersecurity threats, while SOAR ties an organization’s cybersecurity tools together in an effort to create a unified defense. Some organizations have been slow to adopt SOAR because they associate its extensive functionality with complexity. But not exploring the benefits of SOAR means these companies are limiting how automation tools can help protect their data, their people, and their business. And while artificial intelligence-based security tools are still in their infancy, there are some powerful benefits for companies that see their potential and use them correctly.
To sum up, in my opinion, this is the recipe for CISO success:
- Know whether security is in your company’s wheelhouse, or if you should bring in outside help
- Find and keep the right team by matching the work you’re doing and the kind of culture you have with what each person on your team is looking for and can bring to the table
- Know your audiences and learn to communicate with each one in their own language to ensure you’re getting through and can relate to each other
- Whether your security model involves an in-house team, an outsourced one, or a bit of both, ensure you have the tools and support you need to see the full picture.
As the saying goes, it’s a tough job, but someone has to do it. And if you are currently a CISO or aspire to be one, you probably aren’t one to shy from the challenge. What is your recipe for CISO success?
For more information on how a CISO can lighten the workload and achieve some inner peace, follow this link.