For the longest time, those of us who occupy the role of the CISO have fought for our seat at the 'big table.' Although it appears some of us are being invited into the C-suite, there is still a long way for us to go.This is highlighted in a 2021 report provided BT, which places "CISOs under the spotlight" and illuminates some interesting and concerning issues that businesses need to address.
Interestingly, this report doesn't seek the views of CISOs but rather seeks the views on cybersecurity and data protection from customers, employees and other business leaders. This offers us a unique insight into what others believe the role of the CISO is and what we do, resulting in five key insights that I believe warrant closer inspection.
We are operating securely
It's not unusual to find that the C-suite is largely optimistic about the strength in cybersecurity and data protection defenses. We discover in this report that this optimism is still running high, with 76% of business leaders rating their security defenses as 'excellent' or 'good.' But let's be honest, the C-suite generally sees cybersecurity and data protection through the lens of technology and, therefore, rarely understands the topic's breadth and depth. This is why organizations continue to have data breaches, with 84% of those surveyed stating that they had suffered from data loss or theft in the last two years.
How can this be that organizations can continue to have such a high degree of incidents yet regard their defenses as 'excellent?' I believe that we are once again a victim of terminology, with the word 'cyber' focusing the C-suite's mind on IT rather than the wider question of information security. The investment must be on more than just technology; it must be layered across people and processes, too, to ensure we reduce the likelihood (or repeat) of data breaches and cyber incidents.
To put it bluntly, If we continue to focus only on the vehicle and not on road safety, we will continue to have accidents and incidents.
Educating customers
It may not come as a surprise to you, but people do very strange things online, including putting themselves at risk from data breaches and being scammed. Consumers worry about being hacked, yet they neglect to implement necessary security measures such as back-up processes, updating software and devices or using unique passwords. But there is an opportunity here to differentiate your organization in the marketplace by educating consumers on how they can protect themselves while also highlighting the security you have invested to protect them. With the survey stating that consumers are 'skeptical as to how safe their data actually is,' there is a chance for you to remove that skepticism and replace it with trust.
Security vs. convenience
As people become more accustomed to our technological universe, it's pleasing to know that attitudes towards security are changing. Where users once would 'trade' security for convenience, there has been a shift in this thinking in recent years, perhaps driven by the high-profile data breaches and/or increased phishing attacks. Attitudes towards security seem to be maturing, as users see the importance of data and how it can be used and/or manipulated. Therefore, it is essential to make the 'user experience' positive while retaining the high-levels of security consumers expect. This could be in the form of simplified privacy notices or authentication methods rather than having to remember complex passwords and the use of cloud technology.
The human firewall
Bruce Schneier once said, "If you think technology can solve your security problems, then you don't understand the problems, and you don't understand the technology."
Human nature will always be a part of the issues we face when trying to protect an organization. This is possibly the hardest aspect of cybersecurity and data protection to address because it requires a deeper understanding of cultural and psychological drivers than most people are willing to accept.
The report from BT states that nearly half of employees say they have had a security incident but didn't declare it. The question we need to ask is, "Why?" Is there a culture of fear within these organizations? Is it because users have been blamed and/or shamed when an incident occurs? For far too long, the phrase "users are the weakest link" has been the prevailing thought in the IT and cybersecurity world, but this outdated mode of thinking needs to be erased if we are to improve our defenses.
CISOs need to take a close look at the culture in the organization and not just at the training and awareness program. Are people over-stretched? Are they anxious or fatigued? Is there a greater propensity to error or fall victim to a social engineering/phishing attack? In a world that is increasingly disconnected and operating remotely, it has been stated that phishing emails that include the word 'LinkedIn' in the subject line have an open rate of almost 50%. To put it bluntly, If you're not talking to your teams, then who is?
We need to patch our human firewalls and not just give them an injection of 'IT security training.' As Perry Carpenter states in his book "Information Security Awareness," "Just because I'm aware doesn't mean I care." We need them to care, so we need to explain why they should care. (And I don't just mean 'care about the organization.')
Be in the room where IT happens
For the longest time, CISOs have complained that they don't have a seat at the table and that they're not in the room when decisions are being made. This is beginning to change. Even so, CISOs need to lead from the front and be visible across the organization, not just in the C-suite. The CISO must be willing and able to communicate the objectives of cybersecurity in business terms so that every area of the organization understands the part that they have to play.
The report by BT offers some interesting insights into what employees, business leaders and consumers think of the CISO. But it would be interesting to ask: What do CISOs think of the role of the CISO? How has it changed in the last 12 months or two years? Or five years, for that matter?
It's the responsibility of the CISO to set the strategic and tactical direction of cybersecurity and data protection, but they can't do it all. This is like asking the CFO to save the organization from monetary ruin and then allowing everyone to do their own thing! It just doesn't work that way.
The specter of a data breach or incident isn't going away any time soon, but it's also not the only thing driving the need for the CISO to be at the table. Many organizations are looking at improvements to the way they operate and the use of technology to enable an increasingly dynamic and remote workforce. As we adapt to the 'new norm,' many are recognizing the need for and the importance of flexible working patterns, employee engagement, mobile device management and cloud technology.
The strength of a CISO is in their knowledge and experience and the partners and team they select to support them. Perhaps they can consider hiring specialist skills or deploying tools that can take over day-to-day operations so that the CISO has the mental and emotional capacity to think more strategically about what the organization needs. Start out simple, and build from there. Remember, any fool can make something complicated. It takes a genius to make it simple.
The CISO can help to bring these services and business transformations to life. But in order to do so, as the report states, it's time for the CISO to step out of the shadows.
About the Author: Gary Hibberd is the ‘The Professor of Communicating Cyber’ at Cyberfort and is a Cybersecurity and Data Protection specialist with 35 years in IT. He is a published author, regular blogger and international speaker on everything from the Dark Web to Cybercrime and Cyber Psychology. You can follow Gary on Twitter here.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
