Being a CISO in today’s rapidly changing and evolving technological landscape is no easy task. Add to that the constant and increasing threat of attack by rapidly more sophisticated and devious malicious actors and you begin to understand the talk of sleepless nights, high attrition and incredibly high-stress rates attributed to the profession. Like fighting terrorism, the bad guys only have to be lucky once in breaching defences,
CISO’s have to be on guard 100% of the time and this still might not be enough. Another thorn in the side of the Chief Information Security Officer is that they are different things to different people. For example; GDPR brought with it the need in some cases, for a dedicated Data Protection Officer, and whilst sometimes there is a practical synergy to task the CISO with extra DPO duties this isn’t always the case and data protection can end up being dumped in the lap of the CISO with little forethought because of a board-level misconception that data protection is information security and vice-versa.
In the ongoing fight against attacks, CISO’s have a new arsenal of emerging technologies to assist them in their efforts: AI, machine learning and automation have surfaced and are being deployed to varying degrees of use and success. Conversely and unfortunately, the bad guys have also started leveraging this tech. Added to this, the unfettered growth of unregulated and poorly secure IoT (Internet of Things) devices has led to new forms of warfare like botnet enabled DDOS attacks, most famously the Mirai malware. For CISO’s used to using an ISO 27001 level Information Security Management System (ISMS), often sitting in Excel, new tech that utilises bespoke and complex dashboards to view data flow and transport can be a daunting prospect.
Larger scale attacks
Added responsibilities come in the form of the threat of larger scale attacks. As many companies are going through extended periods of digital transformation, so does the attack surface for attackers widen exponentially. Information & Cyber Security is no longer just about protecting data assets, it can now be about protecting human life. Not to be too over the top but the consequences of critical national infrastructure sustaining an attack can literally be a matter of life or death. The onus is on the CISO to not only to ensure he or she is employing the best technical safeguards but also in communicating the threats and need for vigilance to the whole workforce.
Developing and Maintaining a Security Culture
Depending on which piece of research you use, its nevertheless safe to say that around 70-80% of all breaches can be attributed to some form of human error. The modern CISO has to understand that information security simply isn’t number one, two or even three in the hierarchy of priorities for an average user. They have to find a way to get the information into their heads and instill a culture of information security awareness. Risk Crew have collated years of experience and tinkering to create an awareness programme called eRiskology™. Our programme utilises instructor-led workshops to Inspire staff, eLearning to Empower them with knowledge, regular multi-media dispatches to keep them Engaged and methodology to Measure the progress. eRiskology™ has been designed by CISO’s for CISO’s to flex, complement and assist them in turning the weakest line of defence into first-responders, always vigilant and engaged to the threat of information and cyber attack.
Dealing with Data Privacy
I touched on earlier how the introduction of GDPR (and the subsequent UK Data Protection Act 2018) has impacted on the role of the CISO. GDPR came into force mainly to make data protection regulations for the modern digital world fit for purpose and while data protection isn’t solely about securing data, it partly is. The role of the Data Protection Officer arguably should be separated from that of the CISO but potentially comes either under sole or joint (along with Legal) responsibility of the CISO office. Risk Crew has a range of data protection services designed to assist CISO’s, legal departments and HR.
It’s not the CISO’s responsibility alone
As well as being technically savvy it has become apparent that a good CISO must also be a good communicator. They need to be able to engage at board-level and articulate the importance and degree of the threats to company’s data assets, IP and personal data. They need to be able to spread the message throughout the whole organisation whilst still overseeing and maintaining the technical security solutions they have in place. CISO’s also need to realise that information & cyber security is not their burden to shoulder alone. It’s everyone’s responsibility from the cleaner to the CEO – possibly they should see themselves as something of a digital shepherd, guiding and informing their ‘flock’ to information, cyber and data protection safety.
Risk Crew understands the CISO challenge.
Risk Crew is a company formed of information risk professionals for information risk professionals. We understand the challenges that CISOs face daily.