The CISO is dead; Long live the CISO

More and more companies are hiring Chief Information Security Officers (CISOs) to navigate the rough waters of cybersecurity. The need for CISOs in enterprise organizations is at the height of importance with the increase in both ransomware attacks and data breaches. Again, we're not going to be the first ones to tell you that the days when third-party data breaches, ransomware, and other forms of cyberattacks were rare are gone. Cyberattacks have an observable, but rarely reported effect on CISOs. With the almost daily data breaches, CISOs are realizing that there is a huge target on their back when (not if!), a data breach occurs.

What is a CISO's role?

A little dirty secret of the IT industry is that many people within an organization don’t actually know what a CISO does. However, those that do, see “information security” in the title of the job, and expect certain things. Because of these expectations, when IT failures occur fingers are often pointed in the CISO's direction first. It stands to reason that anyone who manages information security should be accountable when a lapse in cybersecurity allows a data breach or ransomware attack. Though a CISO's responsibilities may differ from company to company the core role is well-defined; a CISO is essentially a senior-level executive who’s responsible for executing and overseeing the company’s cybersecurity strategy. So it stands to reason that the CISO role is often held accountable when a data breach, of any form, occurs. In fact, according to a survey reported by Tripwire, 21% of IT decision-makers would most likely blame a data breach on the CISO. The CISO isn't the only one that's seen as being accountable, of course;  it is seen as the second finger that gets pointed, after the one that's pointed at the CEO, of course. This goes a long way in explaining why the average tenure of a CISO is a mere 18 months. A CISO's time may be short, but the potential impact of their role is mighty—data breach recovery can cost a company over $3 million in recovery and $1 million to discover a breach.

Hearing about a CISO in the news is... bad news

The CISO position isn’t really talked about in mainstream media, that is until a cyberattack is in the news. In other words, all news is bad news: whenever you get a notification, see a Tweet, or read an article about an organization getting breached, you'll hear a CISO's name. CISOs have an incredibly difficult job because they're expected to be able to secure an enterprise or organization from all angles and at all hours of the day. This is why when a cybersecurity issue arises, the fingers are pointed directly at the CISO.

Customers play the blame game

When a breach or ransomware attack occurs, consumers want to see that the person responsible for the attack is held accountable. Breaches are often the fault of an institutionalized failure of policy and not that of a single individual, however, because the policy often falls to the CISO, a CISO may lose their job in order for an organization to preserve their reputation with its consumers. Hence, the average 18-month ticking clock. Not only does a CISO have to worry about their actions, but they are also accountable for their team if it were to fail to detect or respond properly to a breach. CISOs are also expected to manage issues external to the company (e.g. those faults of a partner or third-party vendor) as well. Imagine an example where a third-party weakness is found that allows a bad actor to get into a network and cause measurable harm. A CISO will, more likely than not, be held accountable for this security failure. Worse still, are the outliers: like the story of the Uber CISO participating in a data breach cover-up. A breach looks bad enough for a company, but a cover-up can destroy an entire company's reputation.

The CISO in highly regulated industries

It is difficult to talk about a CISO's role without also mentioning compliance. A CISO is often responsible for monitoring regulatory compliance for whatever industry they operate in. No matter the regulatory standards in place, adherence to the compliance standards is expected. And this responsibility falls to the CISOs, and they are expected to handle it all—from making sure the third-party vendors are granted proper privileges to educating employees on the nuances of phishing emails.

What CISOs can do

Because the CISO role is often on the chopping block in order to send a message after a public data breach, a CISO should act to preempt and anticipate failures in IT security.

  • Transparency is key: If a CISO finds out about a data breach or ransomware attack, it's their duty to be upfront and honest about it. This move can save an organization’s reputation and a CISOs job.
  • Reporting: Accurate, comprehensive, and consistent reporting of vulnerabilities are key. The size of the possible vulnerability should not matter, rather, anything and everything should be reported.
  • The right solutions and tools: This comes in many different forms, whether it be the IT team or the secure remote access platform used, CISOs must be aware of the tools and solutions they’re using. The wrong tools could be the difference between an 18-month tenure and a life-long job.
  • Open approach: In this case, honesty is the best policy. An open approach can aid in the prevention and detection of a data breach.

A CISO should never feel alone in their quest to keep their company safe. Learn more about the importance of implementing the right tools to have a full cybersecurity platform that keeps your company (and your job) safe.