Today’s CISOs need to be at the top of their game. With increasing macro stressors—new infosec threats, heightened business expectations and staffing resources stretched thin—many CISOs feel increasingly challenged with a growing number of obstacles.
This piece highlights specific challenges CISOs face, from both a leadership and security perspective, and provides guidance to improve executive and business alignment while strengthening security to protect the organization.
Challenges Facing CISOs
1. Executive Alignment and Expectations
Increased internal scrutiny present new pressures for CISOs as both executives and boards ask more of them and their security teams.
It’s not uncommon for leadership to underestimate the complexity and intensity of security and cyber transformation programs. When CISOs join an organization, they often face unrealistic sets of goals for both the security program and the organization. In addition, boards do not always fully understand funding requirements, prioritization of overall security measures and the business risks involved.
CISOs are immediately expected to “fix everything” when they join a new organization, and they often experience significant pressure to quickly forge new objectives and deliver results. This is exacerbated in slow-moving organizations that have done things “the same way” for many years.
Misalignment and miscommunication between board expectations and timelines associated with new strategic initiatives often increase the pressure. Furthermore, given their unique role within the organization, many CISOs struggle with executive presence and communication. This is a particular and poignant challenge facing CISOs, where participating in conversations and confidently fielding questions from board members is fast becoming a requirement for those in the position.
Now more than ever, business leaders expect to partner with security leadership and want them to “speak their language.” The C-suite needs CISOs to take on an organizational leadership role that drives cultural change. These changes will require infosec leaders to adopt a broader set of nontechnical skills.
READ: Guidance for CISOs Presenting to the C-Suite
2. Aligning Security Budget and Risk Tolerance
Properly aligning organizational risk tolerance and security program budget requirements presents another disconnect between security and the business. As cybersecurity became more critical, security budgets as a percentage of firms’ total revenue also increased. However, many CISOs feel their organizations fail to properly measure and report on cyber risk and are therefore inadequately prepared for increasing threats—undermining the sole purpose of the security function.
Business leadership thinks and plans in business terms (dollars) and understands risk as opportunity gain or loss. This puts CISOs at a disadvantage when justifying security budget increases to the board.
Security budgets should function to reduce the likelihood and impact of data and financial losses caused by a breach or other incident. Risk management can’t be sacrificed for operational asset efficiency. Ideally, both opportunity and loss management should work together.
READ: How Security Budgets Break Down
3. Security Staffing and Retention
The security staffing shortage continues to plague all companies, and strong security programs depend on solid staff. Our annual security budget study shows staff and compensation to be the largest security expenditure across sectors and organization sizes.
This security talent gap either results in vacancies or the hiring of individuals who lack the skills and experience necessary, the latter of which requires further training and development, as well as a greater time investment.
CISOs need a physical staff. Attracting and retaining those people is a major pain point, and throwing money at a technology doesn’t solve for a staffing shortage. In the fiercely competitive market for security talent, staff budget allocation must constantly increase.
Unfortunately, HR and the business are not always aligned with security salary bands to recruit and retain the best possible talent. The right level of budget for critical roles along with retention considerations is key. Hiring at all levels requires both time and budget commitments that the C-suite may not always understand. In addition, CISOs must emphasize succession planning, which requires substantial budget and employee development investments.
Organizations that ask their CISOs to do increasingly more with fewer resources—staff and budget—risk not only causing frustrations with their CISOs but also increasing the odds of a security incident to occur.
4. Complex and Evolving Threat Environments
With an increasing number of large-scale cyberattacks, organizations must support their CISOs and commit to investing in their security programs. While it’s impossible to anticipate or prevent every threat, there is an expectation to always be on call, even with inadequate security mechanisms and insufficient staff. Trending threat environment areas for CISOs include:
- Ransomware
- Remote workforces
- Internal and external data theft
- Continued digital transformation impacts
- Inadequate security awareness and training
- Business disruptions
- Threats to business value and reputation
- Compliance issues
For CISOs this is only a fraction of the threats that are continually more sophisticated, widespread and varied each year.
Guidance for Today’s CISOs
The primary role of a CISO is building information security strategies to protect the business, its people and its data. Today’s CISOs must take the initiative to “up their executive game” to build value by actively engaging, supporting and contributing to both the organization and business priorities.
To create lasting change, CISOs have to drive cultural change, select technical solutions that work and integrate seamlessly with existing architecture, navigate and survive corporate objectives, and build a high-performance security team. To evolve and meet new expectations, CISOs need the following additional skills and best practices:
- Align with executive expectations: CISOs in the board room should reorient their role of cybersecurity expert perspective and put on the jacket that says, “I’m a business leader while wearing my cyber expert hat.” Using this perspective helps the board and senior leaders have a reasonable understanding of the time it takes to drive a security transformation that takes into account the organization’s tolerance and appetite for change management. Excellent CISO communication and relationship building skills are important to develop business rapport and demonstrate two things: how security helps with business opportunities and how security reduces future financial loss.
- Build IT security into the business risk profile: Set budgets accordingly using security metrics that connect back to the business. Investing in a rigorous risk-based approach helps to communicate a risk-based strategy to the business. Using a quantitative analysis of risk probabilities and impacts will provide the data to help influence the board. CISOs who build their security budgets based on risk using tailored metrics are more successful in securing their enterprises and building executive support because they focus on mitigating the threats with the greatest potential for damage to the business.
- Create a staffing narrative for the business: Make your security staffing narrative people- not budget-oriented, using strong business metrics and agile communication skills to translate business needs into technical requirements for the business. Organizations see fewer exploits and improved response times when they include both a business and “top people” aspect in security. They can create a culture sensitive to cybersecurity risks, build more effective training programs, and develop clear processes for recruiting and retaining security teams.
- Communicate the threat environment effectively: Focus on telling a story with security metrics and key performance indicators (KPIs) that will play an important role in the narratives that drive leadership communication and understanding. It’s critical to establish a set of meaningful security metrics and KPIs that measure risk improvement and effectiveness of your overall security program for several reasons beyond reporting to the board. Metrics tailored to both your security requirements and the business will help guide future security decision-making and improve the security posture of your organization.
READ: Key Metrics for a CISO Dashboard
Cybersecurity is now a strategic business imperative, requiring CISOs, CEOs and their management teams to work together to meet the higher expectations of regulators, shareholders and the board. For CISOs new to an organization, start with the interview process. Steve Martano, a partner at Artico Search adds, “Much of the misalignment CISOs face walking in the door can be mitigated through proper due diligence in an interview: as a candidate, are you getting a sense that business leaders are aligned on security program expectations? Do you have a good sense of budgeting and recruitment? Are expectations for the first 12 months of a security transformation realistic?"
To successfully address the macro stressors and challenges of today, security leaders must take a business-first approach to elevate themselves and their programs with the C-suite.
CISO Benchmark Study
In 2021, over 500 CISOs and CSOs participated in our Compensation and Budget Study. This annual survey, developed in partnership with executive cyber recruiters at Artico Search, provides security and business leaders with a cross-industry overview of CISO compensation.
Survey respondents will receive a series of in-depth reports featuring new takeaways, uncover a wealth of insights and find valuable leadership guidance to fine-tune your current security budget and department, as well as your role and career path.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.