What Keeps Chief Information Security Officers Up At Night?

Accountability to the boardroom tops the list of late night worries

Los Angeles, Calif. – June 18, 2018

Getting a good night’s sleep has become increasingly difficult for CISOs. The way I see it, there are 3 clear reasons for this and they all center around RISK. After all, aren’t we as Cybersecurity Professionals all in the RISK business?

I had the privilege of presenting at two incredible events this quarter – the FS-ISAC Summit and the Gartner Security & Risk Management Summit – and the CISOs in attendance agreed. If you don’t – let me try to convince you with the points below, and of course, I welcome your feedback !

So What Keeps a CISO Up at Night?

1. Accountability to Leadership – Being held accountable to delivering on expectations as the board/C-Suite provide investments to improve security.

While cybersecurity is now a board-level conversation globally, many CEOs still don’t get it. A 2016 Forbes article by Steve Morgan, founder and Editor-in-Chief at Cybersecurity Ventures refers to a report which states that more than 90 percent of corporate executives say they can’t read a cybersecurity report and aren’t prepared to handle a major attack.

You know what – I’m ok with that, because at the C-level that’s not their job. What they need is their CISO to position risk effectively and help them understand the delta between the current state of their technology hygiene and what a healthy state will look like.

That’s a challenge in and of itself because the CISO is tossing and turning at night asking, “Am I buying the right technology? Does it have staying power? Can it scale? Am I patched? Is my environment truly healthy? How will I really know?”

Sounds like a restless night to me.

Being able to effectively communicate the current state and what “good” looks like is imperative for a CISO to develop an action plan with target milestones to present to their board.

2. Capability – Do I have the right skills, and right people, to do the right things?

The cybersecurity labor crunch is getting worse, not better. Identifying the right skill sets is the easy part. Finding experienced people is a whole different story.

Cybersecurity Ventures predicts there will be 3.5 million unfilled cybersecurity jobs globally by 2021, up from 1 million openings in 2014. Competing for talent in a highly competitive labor market is timely, expensive, and downright scary.

For many organizations, a shortage of cybersecurity workers is their greatest risk factor. In response, MSSPs (managed security services providers) have become a popular choice. But finding and vetting the right MSSP is an altogether new challenge for CISOs and their teams.

Risk presents itself in a number of ways here:

• Have you assessed all third parties and contractors supporting your environment?
• Are you highly dependent on one or a small subset of individuals to run a portion of your technology stack?
• Do you have documented processes and procedures to follow in the event of turn over?
• What is your training plan to ensure your team keeps up with security trends within your technology stack?

There is no easy answer to recruiting and retaining the right cybersecurity people – I’ve said it before and I’ll say it again – there is a 0% unemployment in our space. What’s important is that you match the team you have (internally and externally) to the security action plan you set out. What skills do you need? Where are they coming from? Who is providing the direction? And – how has my plan been assessed and vetted?

3. Compliance & Privacy Regulation – yes the dreaded acronym – GDPR. We also have to consider state legislation and/or government regulations on security, privacy & compliance.

Compliance will be the biggest driver of security in the coming years. I firmly believe compliance drives over 50% of the market today.

Take for example the General Data Protection Regulation (GDPR), which applies to anyone, literally any company in the world, who receives data from the EU. What’s scary about the GDPR is the financial risk associated with non-compliance.

GDPR is one of numerous compliance mandates that organizations globally are grappling with. There’s also DFARS, NYCRR 500, FISMA, GLBA, SOX, and others.

The challenge here is it’s easy to think, “that will never happen to me”. That’s what we all used to think about cybersecurity incidents right? Right?

Given the financial pain of non compliance, CISO’s can’t afford the risk. To me this one comes down to expert advice. As a CISO you need to surround yourself with the right information. If you haven’t already, engage three kinds of experts to support your compliance readiness:

• A cybersecurity service provider to provide recommendations and risk mitigation tactics
• A managed security services provider to support with 24×7 monitoring and management of security technologies
• Legal counsel to review your organization’s efforts and provide legal feedback on the compliance regulations your company is subject to specifically

So there you have it – CISO’s are looking a little sleepy because they’re constantly concerned with being accountable to leadership, managing their capabilities and meeting compliance requirements. In today’s landscape it’s important that they balance all 3 with their organization’s risk profile. How they effectively communicate their current state vs a healthy state and what risk looks like at different levels of investment is critical.

I heard an excellent keynote on Day 1 of the Gartner Summit that referenced how CISOs need to operate in the center of what is important, what is dangerous and what is reality.

If they can find that balance, they should be able to get a good night’s sleep! Easier said than done, I know…

What else is keep you up at night? Let’s keep the conversation flowing.

To your success!

RH