THE CISOs' NEW

DAWN

Chapter 1: An effective security leader

Introduction

The Chief Information Security Officer's (CISO's) role has grown and matured fast from a standing start less than 30 years ago. Lately, this progress has accelerated.

Recent events have thrust information security – along with CISOs, their teams and suppliers – into the spotlight, and suddenly cyber professionals have started getting invites to all the right parties.

But this ascent to mainstream business relevance, trust and recognition comes with several burdens – not least changing priorities, a need to develop or refine soft skills, and a host of fresh responsibilities and accountabilities.

To maintain effectiveness as an operational CISO is, under current circumstances, one of the most challenging responsibilities they face. Recent events, it seems, have added further challenges: embracing and adapting to new pressures, requirements and requests that stretch the CISO's traditional roles in several directions at once. This brave new world is one littered with personal, political and human challenges, as well as the technical ones.

In this chapter, our panel outline how their roles have changed over the last 12-18 months.

Question #1

Have your role´s responsibilities changed in the last 12-18 months, and have you been required to learn new skills?

Since the first cyber security officer was hired by Citi Corporation in 1994, the role of the CISO has matured significantly. The events of 2020 have demonstrated just how adept CISOs are at responding to the challenges to business operations and the increased need to embrace a wider security protection landscape.

While activities undertaken and skills employed by CISOs haven't changed dramatically over the last 18 months, their responsibilities and priorities have shifted away from security executed as an isolated practice to becoming coupled with day-to-day operations. CISOs consistently highlighted key change points as: 'risk' becoming the foremost responsibility, and the balance between technical capability and the ability/application to apply 'soft' skills in the role.

There are clear similarities of role changes and responsibilities on both sides of the Atlantic – any major differences are evident when it comes to organization size.

The size of a company is often a more effective predictor of the role of its CISO than the risks the organization faces. Cyber security leads for smaller firms are certainly more multidisciplinary beasts – and may even be the IT director. They must tackle roles that also touch on IT operations, help desk, as well as security. Bigger organizations mean more resources and the opportunity to specialize, ensuring the CISO stays focused on mitigating cyber security risks and remaining engaged with the senior management team.

The previous 18 months have compelled CISOs to strike an effective balance between – and alignment of – technical and business skills. CISOs of companies that handle volumes of personal data as a matter of course will be acutely aware of the responsibilities that come with this.

The same applies to those undertaking regulated activities: non-compliant organizations face significant exposure sentences² for company principals in some cases. US (59%) and European (57%) CISOs see a clear increase in their role's responsibilities related to regulation and privacy. The potential penalties that come with some regulatory regimes create a powerful incentive for CISOs to strive for alignment of cyber security risks within an organization’s enterprise risk management (ERM) frameworks.

The lack of consistent nationwide regulation and privacy controls in the US has added to the complexity of many of our respondents' lives. They must stay abreast of incoming state-level regulation such as the California Consumer Privacy Act (CCPA) and Illinois' Biometric Information Privacy Act (BIPA), as well as Federal Trade Commission (FTC) and industry-specific laws. In contrast, with a single source of regulation, our European CISOs said they had a slightly easier time implementing EU laws across multiple member states. Taking personal data laws as an example, under the EU's General Data Protection Regulation (GDPR), CISOs can proceed promptly to practical implementation. It's worth noting that this single source is often transposed into national laws in a slightly variable manner, and that supervisory offices often have different procedures.

Many of the CISOs have global responsibilities, highlighting that the Asia Pacific region has seen increased data protection enforcement: South Korea's Personal Information Protection Act (PIPA), Japan's Act on the Protection of Personal Information (APPI) and My Number, as well as the forthcoming Personal Data Protection Law (PDPL) in China all feature regular audits with sizable penalties imposed for lack of compliance.

The increased responsibilities seen by our panel told us that the events of 2020 placed increased focus on business continuity planning (BCP) policies and their relation to the organization, operation and safety of the business. The CISOs we spoke with said they had increased their application of business impact analysis (BIA), taking a view of the dependencies that business have on technology and then appraising the necessary security controls.

"It’s about risk, and CISOs need to not make decisions that sit in other peoples’ responsibilities."

- Matt Stamper, CISO, Evotek

Many CISOs we spoke with told us that their role was increasingly viewed by their organization as less of an 'internal security consultant,' focused on the protection of the organization's assets and people, and more as an 'operational security officer.' This has revealed a new challenge: peers within the organization assume CISOs have considered the needs of every department, without taking responsibility themselves to understand the implications of cyber security.

A glaring worry from many respondents was that the CISO role is not given the level of importance as a critical business function – continuing to be viewed as a middle-management function and, as such, could be 'crushed' unless they can be valued as advisors to the CEO. This could mean that the future of the CISO ends up combined within the role of a data protection officer (DPO), specific industry sector specialist (fraud, SCADA, etc.), or an operational role.

Our interviewees recognized that the security landscape has broadened, and that the expertise of cyber criminals has increased both in capability and volume. This has mandated that they keep close to the battleground and continually look to understand new and evolved threats.

Our panel is fully aware that cyber security specialists are a rare commodity, and this scarcity stretches from school and higher education leavers all the way through to industry veterans. In turn, this has obliged them to step up their skills when it comes to talent management, reflecting a growing imperative to enhance and retain their existing workforce – or risk losing knowledge, talent and experience that can be difficult to replace.

"What is starting to change is the business is starting to take more recognition and ask questions. As CISOs are used to talking tech, they are being asked to talk more business speak."

- David Lello, CISO, Burning Tree

Depending on the size of the companies involved, our cyber leaders were being asked to contribute more at a business – rather than solely technical – level. A drive for cost efficiencies, increased capability and improved customer experience has encouraged or obliged CISOs to educate themselves outside the scope of cyber security, with the assistance of peers in understanding how their organization needs to compete in the digital market to serve existing and future customers. A large proportion of the CISOs we spoke with suggested this has compelled them to view cloud in a more positive light for both IT infrastructure and business applications – something of a must, given the surging importance of cloud to the success of many organizations.

Question #2

Have you needed to upskill around cloud security, device sprawl, RPA, AI, ML, Analytics, Threat Intelligence, etc?

Our interview subjects overwhelmingly (71%) said they had spent time reading up on emerging (digital) technologies. One of the more interesting topics: operational technology (OT) in manufacturing industries targeted as possible attack surfaces has been a keen interest for organizations, but also supply chain evolution and communication architectures used to run a business.

There was little-to-no feedback regarding the need to understand the day-to-day impact from Internet of Things (IoT) devices. IoT seems to be a new territory for security teams and our panel acknowledged the need to ensure that they can interpret the signal/noise levels these devices generate.

“We are diving heavily into security analytics to make informed decisions. In the past it was responding to alerts from SIEM, but we are now looking at a new skill set for analytics.”

- Leo Cronin, CSO, Cincinnati Bell

The majority of CISOs are avid readers, using books and reports to widen their knowledge and increase the relevance of a subject matter, prior to considering technology or policy in their business. They revealed a variety of topics covering privacy, DevSecOps, incident response, preparation modeling, and data visualization.

The desire for continuous improvement also includes mapping new frameworks such as NIST and MITRE ATT&CK. Many of the CISOs we spoke with worried about failing to stay current – and the potential impact of that on their career. This concern is not just focused on technological change but also the cyber security implications for regulation and privacy that are key boardroom concerns.

The consistency from CISOs regarding their need to increase their familiarity and knowledge about cloud was a continual surprise to the author. In the past, many CISOs have regarded cloud as a loss of control, but this has changed dramatically. Much of the urge to understand cloud technologies was conveyed in three pragmatic areas:

  1. The need to maintain the highest levels of threat detection and mitigation as attacker vectors grow in complexity, while reaping cost and operational benefits provided alongside a variety of managed security and cloud service outsourcing partners;
  2. A realistic desire to appreciate value of cloud as an architecture that will increase with the growth in digital applications;
  3. Apply insights gained from the first two areas as they focus on cloud security technologies that can consistently enforce how to secure data and their operations outside of traditional boundaries.
"The way cloud works is different, so you need to go [back] to basics and get new skills."

- Dave Thomas, Director of Security & Privacy Engineering, GoCardless

Our CISOs continue to understand and mitigate data risk. For many, the continual struggle to be a data-led cyber security practice has raised the visibility of analytics as they endeavor to understand where their business data is used, created and transferred. The panel believe that their security teams are more responsive if they employ security analytics, driving towards more predictive and real-time threat intelligence capability.

The increased focus on mathematical analysis has raised the applicability of SOAR and more predictive (SIEM, MDR, NDR, EDR, etc.) offerings and their capability to deliver actionable insights. The CISOs told us they appreciate that they need greater supplementary data, requiring them to increase their knowledge of additional open source and third-party data feeds to increase their analysis of threats.

"Humans alone are ill-equipped to manage this environment."

- Dave Thomas, Director of Security & Privacy Engineering, GoCardless

Our panel understand that humans alone are ill-equipped to manage the complexity and increased diversity of threats. CISOs recognize the growth of AI and machine learning (ML) in OT and IT, constantly reviewing the use of these technologies for cyber security to determine if they can really add demonstrable value – and, for that matter, whether these technologies have left their infancy. One area that appears to be gaining traction is user protection such as user and entity behavioral analytics (UEBA) and the incorporation of ML characteristics into identity and access management (IAM) controls to protect users of technology from themselves and supplement the role of a security analyst.

It was clear from our conversations with CISOs that a move to perimeterless environments is ushering in a new focus. Data, rather than assets, are the point of concentration and where CISOs are working actively to build and renew skills and knowledge.

Question #3

Have you had to increase your business skills and the impact you have on company achievements?

Sixty-one per cent of the CISOs we spoke with strongly believe they need to up their business skills. Not only that; they felt they must now continually engage with others across the business, updating them on new developments and identified risks. A significant part of this engagement is to use their own skills and those of their teams, alongside potential technology in anticipating and conveying the impact on the business should it suffer a cyber incident.

Performing this level of interpretation and communication requires our CISOs to have both a strong understanding of the organization they protect and the ability to apply a technical perspective to operational excellence to fulfil their responsibilities.

"I need to be positive about the competition and how they are becoming more digital."

- Hitesh Patel, Head of Cybersecurity, Cloud Computing & Digital Infrastructure Audit & Risk, Fidelity Investments

Digital change and keeping up with the competition

Growing digital operations also obliged the CISOs we spoke with to understand a fast-evolving marketplace.

Many of the respondents spend considerable time examining and researching how their competitive peers are using digital to reach their audience, as their own business will either be in the process of, or may shortly implement, similar engagement strategies. They expect to be asked to provide guidance on the technological and security risks and benefits of doing this work.

"I don't think you can separate the technical from the business anymore, you have to understand the business impact from a technical perspective."

- Scott Goodhart, CISO Emeritus, The AES Corporation

The largest challenge our CISO panel faced when attempting to demonstrate the impact they have on business achievements is their ability to, in the words of one respondent, "raise the profile of security to be a positive protective element of the business." This is a significant turnaround from being seen merely as an internal security practice. Many believe that overall business risk remains the responsibility of the CEO, but when it comes down to security risk, "this is not the CEO's responsibility: it belongs to the CISO,” to quote one of our interviewees. The role of the CISO as risk mitigator has meant that many have taken it upon themselves to understand what dependencies the business has on technology.

"Absolutely. CISOs need to understand the company strategy and how cyber security could help with it."

- Gene Zafrin, CISO, Renaissance Re

The impact of working from home

'Home working' became 'just working' for many of us during 2020. This abrupt change to common working practices gave CISOs entry to task groups assigned to redefine the working environment and upgrade or introduce technologies that make the business more efficient, such as digital signatures and workflow validation. In the same way that face-to-face interactions have been overtaken by the leap to video conferencing, engaging with employees via new cyber security e-learning modules are helping businesses to secure themselves from attacks.

Has your role created a larger diversity of internal and external engagements?

Knowledge sharing should be a major part of any individual’s day-to-day activities, and many CxO roles profess to have intrinsic learning and knowledge contribution across peer networks. CISOs take this to another level. Over 66% of our panel spend significant amounts of time with external communities of interest such as CISO roundtable discussions and SME groups.

These contacts allow them to exchange notes with peers on topics from day-to-day issues, business networking and the discussion of operational cross-CISO collaborations. There was a distinct difference in regions, where 78% of US CISOs scored almost 50% higher than their European peers when it came to professional contacts of this nature.

Around the world, raised awareness of cyber security has meant the CISO is now party to conversations and decisions previously closed to them – and this has provided them richer, more numerous relationships across the business, as well as earlier access to initiatives and projects.

Not surprisingly, our interviewees were pushed and squeezed into new working practices by the events of 2020. Stronger internal engagements and the provision of relevant security tools are proving critical as cyber security has added new responsibilities.

"CISOs should engage widely with different parts of the business to understand what cybersecurity could do for them."

- Gene Zafrin, CISO, Renaissance Re

"We need diversity to understand how cybersecurity fits into the company - international diversity on how things operate differently across countries and industries and socio differences."

- Matt Stamper, CISO, EVOTEK

"Core diversity across the central team. Seniority is not the always the best, it’s the idea that counts."

- Hitesh Patel, Head of Cybersecurity, Cloud Computing & Digital Infrastructure Audit & Risk, Fidelity Investments

"Before, the CISO was in a silo as the IT guy, now he is the visionary of the new economy."

- Mauro Israel, Corporate CISO, ORPEA Group

"Yes, we have more external conversations with CISOs of most major customers and their boards."

- Andrew Rose, CSO, Vocalink (A Mastercard Company)

While engagements with peers across business units and functions are on the rise, some of our CISOs remained skeptical of the outcome of all this security knowledge-sharing within their own organization.

Some were resigned to the fact that a minority of senior management will remain stuck in their ways and reluctant to embrace more inclusive, diverse and digital-led ecosystems. This mindset causes problems and challenges for both current and future operations.

To avoid this, our panel recommended that non-IT related senior management use their own network and conversations to appreciate how cyber security operates differently across countries, industries, and cultures. CISOs believe that their widening of engagements promotes communication based on openness, reality and facts instead of using role power to convey beliefs that may result in a more negative and less diverse approach.

External engagements are now more diverse and include regulators, government agencies and banking merchants to ensure that the CISO can hear directly what they need to consider and where other peers may have best practices to ensure compliance. In addition, many of the CISO’s business contacts, suppliers and customers are reaching out for subject matter expertise for their own organizations. Mutually beneficial discussions have increased, as the growth in ransomware attacks has meant connected third parties need to understand the possible impact of such attacks from each other’s perspective.

Question #4

Do you believe that your role will become more critical to your business?

Regardless of their employer's scale, our CISO panel agreed that their role is now recognized as a senior management position. Of those CISOs already holding a seat on the board, there is confidence that their role is as critical to the business as other CxO positions. It is worth noting that, while this may appear to contradict the points made earlier in this chapter, it's more accurate to say this reflects a dichotomy. CISOs may be relied upon as senior managers, but they've not always been identified or rewarded as such. Almost two-thirds (65%) of the CISOs in this study believe that they are critical to the business. Respondents from the US scored their value perception as slightly higher (7.4 average) than European CISOs (6.1). Respondents on neither side of the Atlantic expect these numbers to change dramatically any time soon.

"It depends on the business. As a security leader we have to practice what we preach! Enable businesses to create the right security culture, awareness and to build cyber resilience. Trust, resilience and good communication is critical."

- Chani Simms, CISO, She CISO Exec

The recognition of strategic and operational value

CISOs are also confident in the value they bring to their employer. They see the role they play as just as valid as that of other big functions, like human resources or finance.

Three-quarters (75%) of the CISOs we spoke with acknowledged that their role has significantly moved from a pure focus on network risk to cover every aspect of technology now being deployed. This was particularly evident from those respondents hailing from healthcare, manufacturing and retail – sectors that eagerly adopt all forms of IT to increase business value, including the digital security of employees, business partners and customers.

"There may be a new name for the CISO, that more broadly represents its responsibilities collapsing into a Chief Security Officer rather than CISO."

- Scott Goodhart, Emeritus CISO, The AES Corporation

As cyber security becomes more recognized as a practice that enables the wider business, CISOs understand that they need to demonstrate value to risk management as part of the greater accountability and responsibility that comes with it.

Some of our panel believe that you cannot divorce the physical from IT security, so the term 'CISO' itself may evolve so that the individual’s all-encompassing responsibilities are understood; one suggestion was chief security officer. Job title aside, our panel deemed that their role is unique in providing a perspective on business risk and conveying a probability that their company will, at some point, become a more interesting target to the plethora of cyber criminal personas.

There is a caveat: some of the more skeptical respondents have concerns about the long-term value of their role. These CISOs believe that unless their work is truly understood – as part of the standard operating model – it could become commoditized or consumed into just another function, rather than recognized as a strategic asset.

New levels of confidence

Suppliers and clients of a business often turn to CISOs for the appropriate risk management knowledge needed to discuss, plan, implement and guarantee cross-organizational security. This level of confidence coincides with the increased integration of supply chains, triggered by digital and ecommerce growth.

"With an increase in ecommerce and online financial transactions, coupled with the maturing of privacy laws around the world, the need to have a strong security role is becoming more critical to an organization’s success."

- John Scrimsher, CISO, Kontoor Brands

Some CISOs recognized that the data protection or compliance officer is a custodian of data. As a result of more privacy laws and regulation, many CISOs feel required to amplify their role and become custodian of everyone and everything that has a data association.

The quarter (25%) of CISOs that scored between 1-5 on the scale when asked if they feel their role was critical to the business could be regarded as being more cautious, believing that the role will probably stay the same. They were consistent, however, in conveying that 'staying the same' does not diminish the importance of that role.

Question #5

Do you believe your role has increased in EQ as well as IQ?

"The requirement for security is no longer just about technical understanding, you need a better understanding about people and how they interact and react."

- Scott Goodhart, CISO Emeritus, The AES Corporation

For most people, emotional intelligence (EQ) is more important than one’s intelligence (IQ) in attaining success in their lives and careers. As individuals, CISOs are largely seen as highly intelligent but somewhat unapproachable, one of a small number of techies at the boardroom table in many organizations. This stereotype may be just that, but it remains hard to shake off in some cultures. From frontline security and incident response teams all the way up to the CISO, the ability to empathize with users, managers and stakeholders and respond correctly is prized. It is also increasingly necessary, for more immediate reasons.

"When you go to remote services and distance learning, people call when panicking, become less tolerant to wait for the answers."

- Nathan Reisdorff, CIO, New England Law

"The majority of role is about how you deliver through others and get others to drive a security model."

- Dave Thomas, Director Security and Privacy Engineering, GoCardless

The success of CISOs and the success of the profession depends on their ability to demonstrate they embody the view that 'EQ is everything to the business.' And it isn't just management-speak; the prominence of EQ as a business skill is being included in some regulatory requirements for publicly listed companies in France.The success of CISOs and the success of the profession depends on their ability to demonstrate they embody the view that 'EQ is everything to the business.' And it isn't just management-speak; the prominence of EQ as a business skill is being included in some regulatory requirements for publicly listed companies in France.

"Your EQ is the level of your ability to understand other people, what motivates them and how to work cooperatively with them."

- Howard Gardner, Research Professor of Cognition and Education at the Harvard Graduate School of Education at Harvard University

 

Our interviewees recognized that a major aspect of their role is how they deliver through others and have them promote a security model. It has been clear from the interviews we conducted: 66% of CISOs clearly understand that each of them must develop the

mature emotional intelligence skills required to better understand, empathize and negotiate with other people – particularly as globalization continues apace.

While 71% of US CISOs all scored heavily, from 7+, only 57% of European ones matched this level of enthusiasm, with the remaining 43% scoring in the 3-6 range.Far from being the unapproachable individual that the CISO persona may be associated with, many of the CISOs we spoke with recognize that they need to ask for help – and they believe that on the emotional side they need to be more forgiving of themselves to alleviate self-imposed pressures to get everything exact.

EQ has its place, especially in situations where the more dominant IQ traits of CISOs tend to emerge.. Our panelists were generally prepared to accept they will be held to account for many things beyond their control, such as the shadow IT implemented without their knowledge, and the reluctance of other peers to accept their responsibility of understanding the impact of cyber security within their roles. They were adamant that this is something they are addressing to be a more conscientious EQ CISO using these new skills to engage wider across the business.

With the new working normal, CISOs must extend the notion of EQ to their security teams, to better support their employees. Distinct from a helpdesk function, the CISOs understand that their team needs to know why someone is making the effort to engage with them or their team, rather than just focusing on the technical resolution.

"EQ has driven the capability to engage with non-IT in metaphors to make it easier to understand. Proper communication will drive a positive environment."

- Todd Gordon, Director, Information Security, EisnerAmper LLP

With the new working normal, CISOs must extend the notion of EQ to their security teams, to better support their employees. Distinct from a helpdesk function, the CISOs understand that their team needs to know why someone is making the effort to engage with them or their team, rather than just focusing on the technical resolution.

As the volume and frequency of communications from security teams and CISOs to the rest of their organization increases, the need for plain speaking, open communications that avoid jargon and ‘IT speak’ become increasingly important. Clear and open communication in the other direction, so that employees can be heard and provide positive and critical feedback, is equally vital to success. The CISO and their security organization will not have all the answers – but they should be in a position to help find those answers.

Question #6

What do you believe you need to improve to excel in your role?

Across many of their responses, our CISOs have characterized their role, and that of their security specialists, as a responsibility to continuously learn. Although we know that good leaders will prioritize the skill sets of their teams, we specifically wanted to know what skills they are missing or need to improve in their capability that allows them to provide a first-class cyber security service across all their interactions and for personal satisfaction.

"The largest room in the world is the room for improvement. I always ask myself ‘How can I do better tomorrow’?"

- John Scrimsher, CISO, Kontoor Brands

"It may sound trivial, but to understand my own direct reports better. The biggest impact I could make is to ensure that every member of the team is successful."

- Gene Zafrin, CISO, Renaissance Re

The CISO's job is traditionally a technical role, so ongoing development of these skills – especially around some of the newer emerging technologies – is seen as a priority. They also appreciate that having the latest knowledge of IT, the techniques of hackers and the associated tools being used should be maintained.

How CISOs can become better business enablers

How CISOs can become better business enablers As the role of the CISO now encompasses the need to understand more business-related competencies, they acknowledge that understanding industry and privacy regulations needs to be fully appreciated. They know that CxO management expects them to have an informed position for the company to remain compliant.

"Like most CISOs, I’d like to strengthen my business relationships, so I can improve communication with the key managers in the company on how to enable their business lines, beyond just risk reduction and related to productivity resilience and cost avoidance."

- Mike Davis, CISO, Alliantgroup

As a critical member of a company’s operational team of excellence, CISOs need to continuously widen their internal and external engagements, primarily for two purposes. The first is obtaining business knowledge by interacting with areas such as COO, legal and M&A teams, allowing the CISO to appreciate how the company makes money and what risks (outside of security) could impact their objectives. Secondly, widening their external network with more ‘peer group’ interactions and regulatory, trade and government agencies partners will provide them with new insights and also allow them to promote their role as a business enabler and extend the operational excellence of their business.

"I need to be positive about the competition and how they are becoming more digital."

- John Scrimsher, CISO, Kontoor Brands

But many CISOs just don’t have enough time in the day. They can become overwhelmed running from cyber fire to cyber fire with too much smoke to clearly view the bigger picture. They do not always have the capability to stand back and put the overall problem space into context. Trying to find 25 hours in a day, the ability to survive on very little sleep, being less worried and paranoid, as well as remembering they have a home to go to were not uncommon comments. The CISOs accept that in many cases they spend too much time in the depths of technical operations and need to learn to trust their teams more and let them do their jobs. By doing this they will have more time to look at their function in a more strategic manner.

Driving the right behaviors

There was appreciation that greater soft skills will encourage more effective interactions. In the past the tone of security discussions was less about value and more about highlighting the fear, uncertainty and doubt (FUD) – encouraging the suggestion that 'maybe we need more incidents to be taken seriously.' This is an approach with limited utility and long-term downsides.

"How to 'Sleep in Shifts' and increase my understanding, patience and business judgement into a language that a retail business will find compelling."

- Simon Goldsmith, APAC Information Security Officer, Adidas

Communicating more effectively in a language that allows every interaction to be accepted as a positive interchange and approaching security issues with example anecdotes would help the CISO to convey risks and threats in a less intimidating manner. This kind of approach would boost the likelihood that the security message is clearly received and understood.

Ensuring that their security teams are effective remains a priority to the CISO. Engaging more effectively with their teams requires the CISOs to push their ability to improve their EQ. They are striving to understand their teams more on an individual basis, how to simulate them, recognizing that each individual is different, understanding their personal insights and adjusting their interactions to increase the opportunity for each individual to be successful.

The CISOs we spoke with want to explore new techniques to increase the value that each team member sees within themselves as a valued contributor. In realizing this, CISOs hope to create a more productive and rewarding environment that retains and seeds the individuals as part of the company’s long-term success.

If the CISO approaches their talent acquisition with the same attitude, they will be able to employ and retain staff to whom they can delegate greater responsibilities.

Secure in their role and the well-being of their team

Security in security: At the time of this research project (July to September 2020), 65% of the CISOs believed that, even with all the issues that the world has had to cope with in 2020, they feel more secure in their role. Only 37% of CISOs indicated that they are considering moving from the current position or leaving the industry.

Stress levels across CISO teams are being managed with 78% scoring consistently within the mid-range 4-7. Although when asked if the CISOs had recognized increasing levels of burnout in their teams, the same mid-range scored 71%, indicating that greater levels of engagement with the CISO, their security teams and the wider employee base needs to be undertaken in handling stress by the human resources and occupational health teams.

Budgets appear to remain consistent cross-industry, averaging 53%, with 39% of respondents seeing improvements in their budgetary spend. When asked about how CISOs allocate budgets between responsibility (company objectives) and accountability (delivering secure operations) of their role, 64% placed themselves directly in the middle (5). CISOs accept that as a member of the senior management team they need to deliver on the business objectives, as well as ensure that their responsibilities to deliver a secure operating environment across the entire value and supply chains can be shared across their own and other teams.

Question #7

How could your peers and reporting line management help you succeed?

The CISOs we heard from were adamant they should not be singled out for special treatment as corporate celebrities; far from it. Their belief was that, with other senior management, it was imperative to encourage regular dialog in an open culture, taking a personal responsibility to educate themselves in the essential deliverables of their peers and management's KPIs (key performance indicators). In contrast, respondents were clear that others should not be responsible for understanding their role and KPIs.

The CISOs know that it is down to them to learn how to communicate in a clear and unambiguous manner about what they see as possible risks to the business, employees and consumers, and align these concerns to the enterprise risk management framework.

Clear and aligned concerns can only be communicated if the CISOs are educated and informed about the business they work for. Understanding what the business does, how it makes money, what initiatives are underway, what relationships in the markets are important, as well as those with regulators and agencies, are all key insights for our CISOs.

But it should never be down to the CISO alone to seek to help support the business. Instead, it should be a team approach with other peers, each valuing insights and suggestions to increase the security and effectiveness of the business. They do not have a sixth sense.

"Peers could use themselves as ambassadors to the company. Security is for all in the company and reporting things that are suspicious."

- Royce Markose, CISO, rewardStyle

Some CxOs must foster a more engaging culture, changing their attitudes, and end their belief that everything ‘security’ is the sole responsibility of the CISO, or only relevant when the next compliance audit is due.

They need to take a level of accountability for security in their domain and ensure that the CISO and their teams are engaged to embed this in their processes. CISOs can help their peers identify how they should do this, thereby increasing the value across the entire management team. The bottom line for 360 support is as much about peers seeking support from the CISO, so that the CISO and their teams can have appropriate visibility to think about any issues.

'Not my job' and shadow IT are friction points

Some of the CISOs acknowledged that they break up their teams to proactively support different business units to achieve that unit's objectives. However, when levels of engagement are low, some IT departments become reactive and wait for the security team to advise.

This risks piling the workload onto the security team, requiring them to be experts across all technology.

One of the largest challenges that the CISOs raised was around the growth of shadow IT. The owners of the various business functions may encourage the implementation of dedicated shadow IT for specific areas of business efficiencies, but they do not comprehend that the CISO's team have no visibility or understanding of what programs and apps have been installed. This lack of visibility by the CISO, and negligence by peer groups, means that shadow IT does not get deployed with the appropriate levels of security hardening, increasing the attack surface and risk for the company.

"Clear communications, no blame culture, sharing knowledge and mentoring goes a long way."

- Chani Simms, CISO, SHe CISO Exec

Outfitting is better than Retrofitting

Reporting line management – primarily the CEO and CIO – need to establish and continually measure the effects of cyber security as an integral part of their business operations and a key area of enterprise risk. Think Safe: Think Security.

Clear direction, communicated directly by the CEO or CIO, encourages a security culture within organizations.

This would encourage everyone to provide feedback on suspicious activities, ensuring that all operations are undertaken with security by design.

Peer and line management's understanding of how CISOs and their teams can help support and innovate business functions is not that difficult if you do it from the outset of a project, application introduction, change management adjustment and even at the integration or creation of new business units. Retrofitting requires a change of attitude and that can be more difficult.

F-Secure Countercept perspective

What follows is a short commentary from F-Secure Countercept’s perspective. This is informed by the constant engagement and dialog we have with CISOs – both customer and by acquaintance. It is also combined with a view of the breadth of attacks aimed at our customers.

CISOs are wise to devote time and effort to regulatory compliance, but it is not the only thing necessary to ensure success. Regulation, especially when it comes to privacy and cyber security, is often late to the party – although improvements have and are continuing to be made, our perspective is that effective cyber security risk mitigation has to go further than the minimum legal requirement. Successfully meeting regulatory requirements hardly ever results in a secure organization – just one less likely to fall foul of the law in the event of a breach that harms it and its customers.

We’d also want to sound a slight note of caution around two key technologies. SIEM and analytics are invaluable additions to any cyber security operation’s toolkit.

However, SIEM and analytics are not immune from the hype cycle and sometimes their capabilities are overstated. They aren’t a magic bullet – as the panel rightly observed. The answer to the security challenges we face is rarely 'collect more data.' Rather, it's 'get the right data, interpreted the right way, at the right time.

We have learned that collecting and processing the right data is the most effective way to address these use cases, particularly when it comes to threat detection.

Understanding the role of the human in handling and interpreting data such as this is vital, and something we have spent time and effort working on, specifically around the work of our detection and response team.

Communicating well – with both one’s own business and third parties including regulators and law enforcement – is a challenge we know well and devote significant time to getting right with our customers.

It is often a key requirement from the CISOs we deal with that we help them articulate the value of good MDR, often in the wider context of their team’s role. This often requires that both the CISO and our team spend time with other parts of the business establishing lines of communication and setting expectations – on all sides.

The F-Secure Countercept team continues to spend time with CISOs and their teams, advocating the role of security and the value of investments in different tools and capabilities to leaders.

At a very high level, the interpersonal communication challenge highlighted by CISOs comes down to the personal relationships and communications skills within organizations’ hierarchies and with outsiders. But it can also boil down to reporting processes, choice of metrics and other tiny, significant factors.

During service delivery, this means working to communicate cyber security risk and the value of investments. It is also important to understand which metrics – and what about the metrics is valuable – are important to each organization and each team within it.

A key part of the F-Secure Countercept proposition is what we call Peacetime Value³, which involves working with customers to get the visibility and evidence they need to both ensure and demonstrate to their organization and regulators that they are doing the right things – and doing them well.

Ensuring effective operations is a responsibility – and one that CISOs have had to work at even harder than usual over the past year. Sometimes the urgent can drown out the important, and strategic thinking, influencing how one’s organization approaches new challenges from a cyber security perspective and other equally important tasks have compounded the juggling act CISOs have had to perfect recently.

Managed threat hunting service with 24/7 coverage with F-Secure Countercept

Research methodology

The author of this research is Kevin Bailey (an independent cyber security analyst from Synergy Six Degrees on behalf of Omnisperience) and it is published by F-Secure. F-Secure funded the report while all interviewees contributed on a voluntary basis.

The qualitative interviews for this research have been conducted independently from the sponsors of the work. All editorial control has remained with the author.

Interviews

Twenty-eight interviews were undertaken between July and September 2020. A total of 23 interviews were conducted one-on-one and five interviewees provided their responses via the qualitative questionnaire, all on a confidential basis. At no time was the sponsor aware of the full interviewee list. All call-out and respondent listing attributions were sought by the author following completion of all interviews. This approach was adopted to encourage candid contributions. The setup and questioning approach has been designed to avoid bias, and where there has been risk of bias, this has been explicitly discussed in the interviews. Only three of the interviewees were existing F-Secure customers at the time of the research. Each interview lasted at least an hour, with most lasting around 90 minutes and many leading to follow-up conversations to discuss the conclusions of the research.

Cohort

The cohort of interviewees were approached based on their depth of expertise and were selected to build a balanced set of inputs.

The author had no commercial connection with the interviewees.

The participants were assured that the report was not intended to directly, imply or intimate that they endorsed or validated any sponsor products or services. The roles covered in the cohort include CISOs (or equivalent title), Head of Cyber Security, Director of Information Security and Head of Threat Intelligence.

Financial services is the most strongly represented cohort.

Research methodology

Twenty-eight qualitative interviews supported with targeted quantitative data points to achieve a grounded theory of the research objective.

Research period
July - September 2020

Geography
Europe - 14
US - 14

Industry
Finance
Energy
Commodity Trading
Services
Manufacturing
Engineering
Health
Education
Digital Platforms
Telecoms
Cyber Security
Accounting
Food

Titles
CISO - Chief Information Security Officer
CSO - Chief Security Officer
CIO - Chief Information Officer
Director of Security & Privacy
Director IM and Security
Director Information Security
IT Director
IT Security Manager

Chapter #2

A reality check

With great power comes great responsibility - and a to-do list

Read now

Chapter #3

The cyber threat surface

 What adversaries are up to – and what keeps CISOs awake at night

Read now

Chapter #4

Cyber triggers influence change

How changing threats force change on companies and CISO

Read now