The days of being the technically-minded information security expert are finishing. The modern CISO can’t stay tucked away in the IT department, installing updates and emailing out password advice. Nor can they be a wholly management-minded corporate leader, talking the talk without actually being able to walk the walk.
The CISO of today needs to be a diplomat and an advocate, using a foundation of technical understanding to support their companywide change management programme. They must draw on solid communication skills to persuade all business divisions to own cyber risk in their own dominion, whether it is the board investing in security products or staff, or employees thinking twice about opening an email.
Unfortunately, even if a CISO comes equipped with these potent skills, their success is tethered to the organisation that hires them. If the business doesn’t fully understand the role of the CISO nor what they need to succeed in this responsible role, there can be little progress.
This seems to be a problem across various industries. Many businesses are anxious and ill-informed. They may cling to security check lists as they become increasingly alarmed with the major breaches hitting industry-leading organisations. There is also an historical understanding of security as ‘protecting assets’, rather than recognising that cyber security is more about risk management and changing behaviours. This misunderstanding hinders a CISO, and yet the finger of blame is quick to point if a breach should happen. Nearly a third of CISOs believe they will be fired or officially reprimanded in the aftermath of a cyber attack.
Considering the high pressure of the role and the frustrating circumstances many are trying to perform it in, is it any wonder, then, that one in every four CISOs admits suffering mental or physical health issues from their work? 17% of CISOs are either medicating or using alcohol to cope with job stress. Almost 90% of CISOs work longer than the average 40 hour working week, so stress is compounded by exhaustion.
All these alarming stats are drawn from a new report Nominet published recently on ‘Life inside the Perimeter: Understanding the Modern CISO’. In conjunction with Osterman Research, we spoke to hundreds of CISOs on both sides of the Atlantic to find out what the reality is for them in their jobs today. We wanted to try to get inside the eyes of those trying to navigate the multi-faceted, people-focused role they now take on in organisations riddled with cyber risk and in constant fear for their reputations.
The results paint a stark picture of the pressure under which CISOs are under and the subsequent toll it takes, both on themselves and the business in which they are trying to work. Without the resources to better monitor an organisation’s networks, hidden threats will remain undetected and will cause havoc. Without the support to drive a culture change across the company and inspire the staff to ‘think secure’, the potential of a phishing email becomes ever deadlier. Without the budget to invest in the cyber security products that provide actionable intelligence and supplement the internal skill set, the networks will be left as a playground for the criminals.
The role of the CISO has emerged from nowhere in just a handful of decades, but it seems imperfect in its current form. All of those who employ a CISO need to step up to ensure they understand the role they are truly paying them to take. Only by better aligning the expectations we have of the CISO with their constraints and capabilities can we support them, empowering them to be successful – and healthy.
The stats from our CISO report have been well-shared as they are attention grabbing and alarming, but I hope that the ramifications are more meaningful in the long term. I hope this research will provoke wider debate around the role of the CISO and propel discussions on exactly what they do and how, and how the job description needs to evolve in these changing times.
Originally posted here