Where do CISOs stand in an era cyberattacks and intense scrutiny?
Cybersecurity has no doubt entered the national dialogue when it comes to economic or even national security issues. By nature, cyber is a deeply technical endeavor, but organizational culture surrounding security has become as important as the tech wizardry itself. This is evidenced by Microsoft’s recent testimony before the House Homeland Security Committee around alleged security lapses (for instance, the tech giant was mired in the headline-grabbing SolarWinds breach that touched government agencies). It has now launched an initiative designed to shore up internal processes and boost security strength, along with favorability.
Still, the reception has been tepid at best: a scathing op-ed from former National Security Advisor Robert C. O’Brien warned against Microsoft becoming “a hackers’ superhighway.” Yet, with crippling ransomware attacks and other stealthy breaches on the rise, Microsoft is not the only company reevaluating or enhancing its approach to cybersecurity. So, what’s influencing today’s “security posture” — and how are CISOs actually affecting it? What’s their most effective strategy? Further, is the specter of personal legal or financial responsibility for security leaders, a la the initial fraud charges against SolarWinds’ former chief information security officer (CISO), catalyzing security or setting teams back?
This article will analyze the plight of today’s CISOs and their role in safeguarding an organization’s market presence and reputational status, which is the most significant internal driver. In fact, security’s impact on the business should hold more of the focus in high-level conversations — versus potentially ignoring weaknesses or devising ways to pin blame or financial responsibility on individuals. The conversation must evolve, as it takes a village to secure the hundreds of millions of customer dollars, or more, at stake. C-suite members would be remiss not to recognize and empower the battle-tested CISOs who are on the frontlines. But, what does that empowerment look like?
Getting the right leaders into CISO positions
To be clear, day-to-day security strategy starts with the CISO. Of course, cyber risk widens quite extensively beyond this individual, and is now often a CEO and board-level discussion. Still, the CISO provides requisite oversight and administration of the program.
So, first and foremost: a top business consideration must be who is sitting in the CISO chair. These individuals can no longer just be the highest-performing security administrator or even the brightest security strategist. Instead, they need to be big-picture business thinkers capable of connecting their work to organizational performance at the highest level.
This is not a new consideration — for years the industry has called on CISOs to enter these influential business conversations and guide their boards and executives. For traditionally technical folks, this can be a challenge; but there is a pool of talented leaders ready to step up.
The technical-strategic divide
True, SolarWinds has become a bogeyman for security leaders — considering recent enforcement action from the U.S. Securities and Exchange Commission (SEC) that singled out the company’s former CISO (though a majority of the charges have since been dropped). Still, the more imminent threat is not so much personal liability — though it’s on CISOs’ minds — but the gulf between security’s technical ins and outs and a deep understanding of its real impacts. In fact, cybersecurity missteps can be profound: impacting insurance premiums, litigation and even business contracts. These are waves coming together and crashing ashore at once.
This makes the CISO role increasingly important. Still, capable CISOs also need a receptive — and engaged — C-suite audience. In fact, the days of operating in a siloed corner of the business are long over. So, for one, a broader range of executive salaries should hinge on the company’s ability to stay cyber-secure. Business-wide failures should not be one person’s undoing.
Still, CISOs must be the catalyst — grounding execs in strategy and outlining preparatory measures. But, risk mitigation also demands broader buy-in. This will ultimately help teams contend with emerging threats and sustain or grow their company’s market position.
Getting those non-security leaders on-board
It’s well understood that top executives need to be clued into security strategy. But, the question becomes: How can CISOs more easily loop them in? Ultimately, it involves fine details and truly “nailing” those presentations and other regular discussions. It means translating cyber’s impact to dollars and cents, or customers won and lost. As a regular exercise, this will help educate various leaders, elevate CISOs and give cybersecurity the attention it deserves.
More specifically, CISOs can actually calculate potential financial losses from data breaches (they reached an all-time high of $4.45 million lost per incident in 2023), including costs of remediation, legal fees, and regulatory fines. They can also assess the impact of security incidents (internal or external) on customer trust, brand reputation, and potential revenue loss from decreased customer retention and acquisition. These are the keywords that will garner attention, and quickly.
Thanks to new methods, including metrics like cyber risk ratings, security teams can also leverage independent analyses that quantify performance — helping to set a baseline and ultimately get wider buy-in on budgets and solutions.
Moving forward
Surging ransomware attacks and recent rhetoric from tech giants have proven that cybersecurity is a highly complex, but more importantly consequential, area of the business. Both proper guardrails and leadership are necessary to boost organizational, and even national, cyber-resilience.
With this guidance and by pushing for broader participation, CISOs and their peers will be set up for success — more easily gauging risk levels, fortifying their systems and data, and keeping cybercriminals at bay.