The Doubts of a CISO - ThreatAdvice
What’s the greatest threat to an organization? Is it the rise of ransomware attacks or the craftiness of social engineering? Is it the evolution of malware and business-email compromise that businesses are being targeted by daily? These are all tremendous threats, however the largest of them all might be the doubt that CISOs and security professionals have in their organization’s security plan.
As cyber threats have become more elaborate and cunning, CISOs are doubting the layers of security and protection put in place to defend against an attack. Nominet’s 2019 Cyber Confidence Report found that 34% of 300 CISOs surveyed were “somewhat or slightly confident” in their organization’s choice of security solutions, with only 17% indicating that “the array of technology making up their security stack was completely effective.”
The doubt can be traced to several sources. A notable cause is the lack of budget organizations are willing to put towards an effective cybersecurity plan. According to a report by Kaspersky, 89% of CISOs are regularly summoned by the board of directors (57% have regularly scheduled meetings). In most of these meetings the topic of discussion is internal cybersecurity. However, this has not translated to enterprises devoting more money towards IT budgets.
Another cause of doubt is the lack of employee cybersecurity knowledge. CISOs worry about fellow employees that disregard security by showing a lack of awareness. While it’s difficult for an entire organization to reflect the knowledge and expertise of its security professionals, it’s crucial for every individual to possess a baseline knowledge to close up gaps that attackers try to exploit. According to DarkReading, many CISOs agree that it’s important to take advantage of educational tools such as games, humor, and short training sessions to motivate users.
Doubt among CISOs can also be credited to the ever-changing nature of the cybersecurity space that brings stress upon the position. While most CISOs believe they wouldn’t be terminated as a result of a breach, they still certainly feel the stress of performing to the best of their ability. A study found that 55% of 408 surveyed CISOs pegged their job tenure at less than three years, while 30% put it at less than two years. As much as security professionals are terminated due to a breach, it’s almost more likely for them to leave on their own accord.
A common trend of confidence lacking among CISOs isn’t a good sign for any enterprise. Doubt in network security is just another weapon hackers use against businesses. So how can confidence be restored?
Thinking like a CISO. One of the main reasons security professionals struggle to have confidence in their plan is because they feel like employee cybersecurity awareness is out of their control. Utilizing education resources and building a cybersecurity standard through policies and procedures can help CISOs build confidence in their cybersecurity strategy. Having faith in non-technical employees can be difficult, but if trained properly, they can be the strongest form of defense.
Being proactive instead of reactive. It’s crucial for boards to back their security team. Breaches sometimes happen in ways that are completely out of the CISO’s hands. It’s important for everyone to be on the same page when facing these threats. In wake of a breach, an incident response plan is an important element in minimizing the damage. When boards respond to a breach by removing their security professionals from their positions it can often cause more harm than good.
Utilizing encryptions and zero trust. New methods of security are being developed every day. Proactive CISOs should take advantage of advancements made in device encryption capabilities and zero trust limits. This includes utilizing multifactor authentication (MFA) and mobile device management (MDM). CISOs should be able to see who is operating on the network at any given time. This helps with managing trusted users and ensuring specific data is only being seen by the appropriate employees.
With new security measures come new threat tactics. Because of this, it’s almost impossible to eliminate all the doubts that exist in the minds of CISOs. However, organizations must continue to strive towards reducing the doubts and stress of their security team. There is already a large enough shortage when it comes to security professionals. Therefore, empowering CISOs and IT pros is essential in protecting all industries.
See how our vCISO solution can give your IT team more confidence in your organization's cybersecurity plan.