Can CISOs Meet Expectations?

I recently asked ChatGPT this question: What does a chief information security officer (CISO) do?

ChatGPT offered me two answers to choose from, and I am listing the second one below because it was less than half as long as the first response.

“A Chief Information Security Officer (CISO) is responsible for overseeing and managing an organization's information security strategy. Their primary role is to protect the company's data, networks, and systems from cyber threats and ensure compliance with relevant security regulations. Key responsibilities include:

1. Developing Security Policies: Establishing policies, procedures, and protocols to safeguard information assets.
2. Risk Management: Identifying potential security risks, conducting assessments, and implementing strategies to mitigate these risks.
3. Incident Response: Leading the organization's response to security incidents and breaches, coordinating efforts to minimize damage and recover from disruptions.
4. Compliance: Ensuring the organization adheres to legal and regulatory requirements regarding data protection and security.
5. Security Awareness: Promoting security best practices within the organization, often through training and awareness programs.
6. Collaboration: Working with other departments, such as IT, legal, and management, to integrate security into all areas of the business.
7. Monitoring and Auditing: Overseeing ongoing monitoring of security systems and conducting audits to evaluate the effectiveness of security measures.

"The CISO plays a crucial role in aligning security efforts with business goals, ensuring the organization's digital assets are protected against emerging threats.”

Assuming this CISO role definition is mostly accurate, is this position largely set up to fail?

No doubt, this answer leaves out many practical aspects of the modern CISO role, such as managing teams of people, contractors, contracts and more. But even if we just take the last sentence, can CISOs truly ensure the organization's digital assets are protected against emerging threats?

DIGGING DEEPER

Back at the end of May, Jonathan Fischbein wrote this piecefor Forbes, where he unpacked questions on “Bridging Cybersecurity Expectations And Reality To Empower CISOs.” Here are a few highlights:

• Cybersecurity has evolved into an indispensable foundation for doing business.
• As a consequence, the traditional network security perimeter has been made all but obsolete.
• The consequences continue to shape markets and regulation today.
• Cyber insurance premiums are becoming unaffordable for many organizations as underwriters find themselves on the hook for more and more breaches.
• Cybersecurity has migrated to the C-suite and the boardroom as a result. Gartner predicts that by 2026, 70 percent of corporate boards will include at least one member with cybersecurity expertise.
• One of the leading causes of CISO turnover is too much time spent firefighting.

Fischbein goes on to make recommendations around simplification of networks and consolidation of platforms to help.

Back in 2019, I wrote a blog examining why "CISO Expectations Are Becoming Impossible to Achieve":

“The multiyear rise in data breaches, ransomware attacks and insider threats has led to a surging global need for cybersecurity leaders to save the day. But here’s why the CISO ideal is harder than ever to deliver.”

I started that blog with a fictional job posting that was supposed to be funny but reflected how many CISOs feel about the weight on their shoulders and the impossible task before them.

Here was one item on the list:

“Most important of all: The search committee expects this new CISO to ensure (in writing) that NO DATA BREACHES WILL EVER OCCUR ON YOUR WATCH! Any ransomware attack or phishing attack that is successful against any of our company staff or contractors (for the bad actors and against our organization) will be considered an unacceptable security incident for the purposes of your limited-term legal agreement. Note: This one-sided contract shall be signed on the first day of work. …”

The amazing aspect of this topic is that the CISO role has only become more difficult over the past five years, with increasing threats, ever-changing new technologies and a very different set of workforce expectations.

TOOLS TO HELP CISOs

This blog offers many resources to help CISOs in their very difficult list of responsibilities and goals, and here are a few of those blogs to reference:

• Security Pros Need a Mentor: Here's Why and How
• How to evaluate CISOs
• Navigating the CISO Role: Common Pitfalls for New Leaders

I like this SANS webcast entitled, “From Compliance to Leadership: What Every CISO Needs to Know”:

More than three years ago, when I was chief security officer at Security Mentor Inc., I did this fireside chat with David Raviv, which can also help:

FINAL THOUGHTS

Back to the original question: Can CISOs meet expectations?

I think the answer is “no” for the majority of CISOs, because they lack the authority, tools, staffing and other resources to be successful in the long run. CISOs also face a landscape that is rapidly changing with new technologies and an accelerating global threat landscape.

Does that mean I lack hope? Again the answer is “no” because I see many successful CISOs in the public and private sectors — despite the odds. These cyber pros go the extra mile to do more with less and protect enterprises in remarkable ways. I also see business recognition of the issues and challenges in front of us.

So what’s my point?

We need a high-priority conversation with all stakeholders on how we can work together to make sure that CISOs are successful and receive the resources needed to “bend the curve” regarding cyber risk.