Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
Today’s CISOs need to be at the top of their game. With increasing macro stressors—new infosec threats, heightened business expectations and staffing resources stretched thin—many CISOs feel increasingly challenged with a growing number of obstacles.
This piece highlights specific challenges CISOs face, from both a leadership and security perspective, and provides guidance to improve executive and business alignment while strengthening security to protect the organization.
Increased internal scrutiny present new pressures for CISOs as both executives and boards ask more of them and their security teams.
It’s not uncommon for leadership to underestimate the complexity and intensity of security and cyber transformation programs. When CISOs join an organization, they often face unrealistic sets of goals for both the security program and the organization. In addition, boards do not always fully understand funding requirements, prioritization of overall security measures and the business risks involved.
CISOs are immediately expected to “fix everything” when they join a new organization, and they often experience significant pressure to quickly forge new objectives and deliver results. This is exacerbated in slow-moving organizations that have done things “the same way” for many years.
Misalignment and miscommunication between board expectations and timelines associated with new strategic initiatives often increase the pressure. Furthermore, given their unique role within the organization, many CISOs struggle with executive presence and communication. This is a particular and poignant challenge facing CISOs, where participating in conversations and confidently fielding questions from board members is fast becoming a requirement for those in the position.
Now more than ever, business leaders expect to partner with security leadership and want them to “speak their language.” The C-suite needs CISOs to take on an organizational leadership role that drives cultural change. These changes will require infosec leaders to adopt a broader set of nontechnical skills.
READ: Guidance for CISOs Presenting to the C-Suite
Properly aligning organizational risk tolerance and security program budget requirements presents another disconnect between security and the business. As cybersecurity became more critical, security budgets as a percentage of firms’ total revenue also increased. However, many CISOs feel their organizations fail to properly measure and report on cyber risk and are therefore inadequately prepared for increasing threats—undermining the sole purpose of the security function.
Business leadership thinks and plans in business terms (dollars) and understands risk as opportunity gain or loss. This puts CISOs at a disadvantage when justifying security budget increases to the board.
Security budgets should function to reduce the likelihood and impact of data and financial losses caused by a breach or other incident. Risk management can’t be sacrificed for operational asset efficiency. Ideally, both opportunity and loss management should work together.
READ: How Security Budgets Break Down
The security staffing shortage continues to plague all companies, and strong security programs depend on solid staff. Our annual security budget study shows staff and compensation to be the largest security expenditure across sectors and organization sizes.
This security talent gap either results in vacancies or the hiring of individuals who lack the skills and experience necessary, the latter of which requires further training and development, as well as a greater time investment.
CISOs need a physical staff. Attracting and retaining those people is a major pain point, and throwing money at a technology doesn’t solve for a staffing shortage. In the fiercely competitive market for security talent, staff budget allocation must constantly increase.
Unfortunately, HR and the business are not always aligned with security salary bands to recruit and retain the best possible talent. The right level of budget for critical roles along with retention considerations is key. Hiring at all levels requires both time and budget commitments that the C-suite may not always understand. In addition, CISOs must emphasize succession planning, which requires substantial budget and employee development investments.
Organizations that ask their CISOs to do increasingly more with fewer resources—staff and budget—risk not only causing frustrations with their CISOs but also increasing the odds of a security incident to occur.
With an increasing number of large-scale cyberattacks, organizations must support their CISOs and commit to investing in their security programs. While it’s impossible to anticipate or prevent every threat, there is an expectation to always be on call, even with inadequate security mechanisms and insufficient staff. Trending threat environment areas for CISOs include:
For CISOs this is only a fraction of the threats that are continually more sophisticated, widespread and varied each year.
The primary role of a CISO is building information security strategies to protect the business, its people and its data. Today’s CISOs must take the initiative to “up their executive game” to build value by actively engaging, supporting and contributing to both the organization and business priorities.
To create lasting change, CISOs have to drive cultural change, select technical solutions that work and integrate seamlessly with existing architecture, navigate and survive corporate objectives, and build a high-performance security team. To evolve and meet new expectations, CISOs need the following additional skills and best practices:
READ: Key Metrics for a CISO Dashboard
Cybersecurity is now a strategic business imperative, requiring CISOs, CEOs and their management teams to work together to meet the higher expectations of regulators, shareholders and the board. For CISOs new to an organization, start with the interview process. Steve Martano, a partner at Artico Search adds, “Much of the misalignment CISOs face walking in the door can be mitigated through proper due diligence in an interview: as a candidate, are you getting a sense that business leaders are aligned on security program expectations? Do you have a good sense of budgeting and recruitment? Are expectations for the first 12 months of a security transformation realistic?"
To successfully address the macro stressors and challenges of today, security leaders must take a business-first approach to elevate themselves and their programs with the C-suite.
In 2021, over 500 CISOs and CSOs participated in our Compensation and Budget Study. This annual survey, developed in partnership with executive cyber recruiters at Artico Search, provides security and business leaders with a cross-industry overview of CISO compensation.
Survey respondents will receive a series of in-depth reports featuring new takeaways, uncover a wealth of insights and find valuable leadership guidance to fine-tune your current security budget and department, as well as your role and career path.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.
February 21, 2024
By IANS Research
Learn why cloud IR is critical to security and not just another box to check. Find guidance to get started building a strong cloud IR program.
February 15, 2024
By Alex Sharpe, IANS Faculty
IANS Faculty member Alex Sharpe discusses the risks around AI adoption and provides governance guidance to make your AI launch safe and mitigate risk.
February 13, 2024
By IANS Faculty
Learn how to how to use NIST to modify secure baseline configurations to account for risk and improve security posture.