CISOs shouldn’t be shy about what they need from the board, as organizations with mutual board-CISO understanding are better positioned to tackle cybersecurity challenges successfully.
There has been an extremely strong focus of late on organizational boards’ concerns about cyber threats. This focus has come alongside amplified regulatory attention, much of which pushes for stronger board engagement on cybersecurity. As a result, board directors are increasingly asking questions of their CISOs.
In November 2023, the New York Department of Financial Services (NYDFS) finalized its modifications to 23 NYCRR Part 500. While this legislation was groundbreaking for being very prescriptive in what cyber controls are required, there was in earlier drafts indications that each board should have suitably cyber-qualified members.
As a result, questions about cybersecurity practices are cascading into risk committees in every enterprise, with CISOs at the center.
But the CISO is already in the ‘hot’ seat, navigating a very challenging role that requires both deep expertise and experience. To ensure CISOs are equipped to meet this challenge, boards must look beyond what they need from their CISOs to address what CISOs need from them as well.
What the board wants from the CISO
The board has very specific expectations from their chief information security officer that center on effective risk management and communication. Most of all they want transparency and truth. This requires translation skills, as the CISO must translate complex cybersecurity risks into clear business terms and potential impacts that board members can understand and act on.
While clear and concise risk communication is essential, boards also expect regular updates on the organization’s security posture, critical threats, and vulnerabilities that could affect business objectives, all explained without technical jargon.
Let’s remember that board members have a personal liability at stake and they want to see strategic leadershipthrough along-term security strategy that aligns with business goals, supported by clear metrics and cost-effective resource allocation. It is paramount for CISOs to remember this motivation when talking to the board.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
Research shows various ways to classify CISOs based on role expectations, strengths and experience – distinctions that matter when it comes to ensuring that security leaders land in jobs where they will succeed.
When executives at a startup asked security leader George Gerchow to advise them on selecting a CISO, Gerchow recommended finding a security chief who had the skills to scale a security program, handle an incident, and engage with customers.
The company instead hired a highly technical CISO, one who worked like the hands-on architect Gerchow had been but lacked the leadership skills that were needed to calm clients when a security event eventually occurred. That skills deficit left the CEO scrambling to fill the void and customers feeling dissatisfied.
The story shows that the CISO was the wrong type for the role, says Gerchow, faculty at IANS Research and interim CISO/head of trust at MongoDB. The anecdote and Gerchow’s observations highlight the idea that leaders — including business executives broadly and CISOs in particular — can be classified into different types.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
Cybersecurity leaders CISOs share insight on a crucial but overlooked task after any security incident: rebuilding trust with the stakeholders that matter the most.
When incident response plans cover the aftermath, they typically focus solely on technical matters, such as root cause analysis or upgrading systems. The problem with this approach is that breaches are not only technical in nature — they can also undermine trust among various internal and external stakeholders of the business.
This loss of trust can be hard to measure, but it manifests concretely. For example, publicly traded companies may lose the enthusiasm of institutional and retail investors. Once popular organizations for tech talent may see their pipeline of applicants dry up. The morale of your cybersecurity team may wane, leading to retention issues and resignations.
In short, CISOs must prioritize rebuilding trust with stakeholders as an equal priority to any technical exercise. After all, no improvement or upgrade matters if stakeholders do not buy into your organization’s overall cybersecurity plan or execution.
Transparency across the incident lifecycle
Christopher Robinson, chief security architect of The Linux Foundation, says transparency is key to rebuilding stakeholder trust. Unfortunately, companies often take the opposite approach.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
Source : https://www.csoonline.com/article/3825447/how-cisos-can-rebuild-trust-after-a-security-incident.html
CISOs are trained to fix problems. Lawyers are trained to find them. The two must work together to address complex challenges like breaches, compliance, or the ethics of emerging technologies.
There’s a joke that’s been floating around boardrooms for years: “What’s the difference between lawyers and engineers? Lawyers don’t think they’re engineers.”
This light-hearted jab highlights a fundamental difference between the two professions. Engineers, and by extension CISOs, focus on building and fixing things, learning a wide array of skills, sometimes sticking their hands into technologies nobody trained them to handle. Lawyers, on the other hand, aim to find problems, navigate gray areas, and anticipate risks.
While these differences might seem like a recipe for conflict between the two professions, they can often lead to a strong partnership. By combining their skills, these two groups can navigate the ever-evolving intersection of technology, innovation, and regulation.
Cybersecurity and data breaches are not just technical issues,” says Michael Welch, former CISO and managing director at MorganFranklin Consulting. “They can be intertwined with legal, regulatory, and reputational risks that require a collaborative, proactive approach.
While the relationship between CISOs and their legal teams is essential, things don’t always go smoothly. Differing priorities and communication gaps can create tensions or even lead to conflict. However, strengthening this partnership is not just beneficial — it’s critical for the organization’s ability to manage risks and respond to complex cybersecurity and compliance challenges. And CISOs can do a few things to make this partnership work.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
Source : https://www.csoonline.com/article/3811937/cisos-stop-trying-to-do-the-lawyers-job.html
Collaborating with startups, acting as advisors and supporting innovators are some of the ways security leaders can play their part in fostering innovation in cybersecurity.
Cybersecurity leaders have an advantage when it comes to innovation given their front seat facing new and old threats. That is why many CISOs are playing an active role in shaping emerging solutions, which also gives them a clear understanding of where current solutions fall short.
“CISOs can play a part in supporting innovation by shaping solutions that address these gaps,” says Shahar Maor, Fullpath CISO, who’s engaged with numerous startups to explore emerging technologies, co-develop features, and test products in real-world scenarios.
While the rewards can be significant, there are some ground rules. CISOs must know the risks of adopting untested solutions, keeping in mind their organization’s priorities and learning how to evaluate new tools and technologies. “We also ensure both parties have clear, shared goals from the start, so we avoid misunderstandings and set everyone up for success,” Maor tells CSO.
Nonetheless, helping drive innovation can lead to advancements in new security solutions and help CISOs in protecting their organization.
Partnering with startups
With threats evolving every day, organizations are finding that many existing solutions fall short, according to Nicole Perlroth, managing partner of Silver Buckshot Ventures, author and former cybersecurity journalist with The New York Times. This creates more of an appetite to partner with startups because they see potential in gaining access to tailored solutions. “Startups are looking at novel ways to address threats because clearly the old approaches aren’t stopping the attacks that are coming in every day,” she says.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
These 10 steps can help CISOs and other cyber pros deal with the inevitable change they will face in an industry constantly challenged by new technology, widening business responsibilities, and an ever-evolving threat landscape.
If there’s one thing that’s inevitable in cybersecurity, it’s change. Ever-evolving technology requires new protections, threats seem to multiply and morph on a daily basis, and even the humblest pieces of software and hardware demand constant updating to stay secure.
That work has been increasing as the importance, visibility, and impact of security initiatives have ramped up in recent years. Now, more than ever, security programs often require stakeholders within and sometimes even outside an organization to change workflows, practices, and behaviors.
A disciplined approach to change management in security is a must, says Ken Knapton, who provides CISO and CIO services through his IT services firm Rocky Mountain CIO. “The idea is, if you’re going to make changes, there is a path you have to bring people down and it starts with ‘Here’s what we want to do,’” Knapton tells CSO.
To effectively lead organizations through change, Knapton uses a chart that maps the multiple steps necessary to successfully adopt new ways of working. The chart plots the movement from awareness and understanding of the desired change through compliance and adoption to, ultimately, internalization. It also lists the myriad consequences of resistance (including sabotage and canceled projects).
Knapton had successfully used this approach as a CIO. As he has more recently taken on CISO duties, he’s applying those same change-management skills to ensure that new security processes, policies, and technologies are adopted effectively.
Cybersecurity leaders need to widen their change-management skills
“Too often security leaders say, ‘We are going to do this because we have to’ without helping people along the path. That’s because they think everyone is going to jump on board. But that doesn’t work,” Knapton says.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
