Cyber threats is one of the key areas that CEOs worldwide cite as the cause for their sleepless nights. In today’s highly complex and rapidly evolving internet enabled business landscape, no organization, regardless of its size and industry, is immune. According to a McAfee report, the cost of cybercrime was an estimated $600 billion in the past year. Not only are more organizations experiencing successful attacks on their endpoints, the cost of these compromises has also increased 42% year over year, according to The State of Endpoint Security Risk report by the Ponemon Institute.
In this context, CISOs and their teams form the fulcrum of the organisation’s ability to successfully conduct business and operate in an environment fraught by cyber risks and threats. Yet, these teams are are usually found struggling and exhausted. On top of that, these teams are expected to continually evolve to stay aligned with the continuously shifting threat landscape.
“The moment the teams stop evolving you will realize you have moved back a long distance. Hence, you have constant pressure and there is no moment to rest in our jobs. I remember the analogy of a CISO mentioned somewhere where it says that a CISO is a driver whose gear is managed by IT Infra, acceleration is managed by business, brake is managed by employees and steering is managed by the CIO of an organization. Still, if the vehicle meets with an accident the blame is purely on the CISO,” says Kalpesh Doshi, Chief Information Chief Information Security Officer (CISO), India, FIS Global.
So, how do companies ensure that CISOs and their teams are enabled in the organization to deliver their best? How should such roles be developed so that they have the executive powers to define and implement the organization’s security culture? According to Doshi, these are some of the steps that should serve as a foundation for a successful CISO and a battle-ready security team.
- Integral part of the board: Security is everyone’s business and if it does not have an independent voice in the boardroom then you can be assured that the board is not hearing the right noises and is not close to things that are strategically important. Information security making it to the board through the CISO’s presence will help empower the security teams with the organization.
- Improve harmonization: Cyber security today is like a multi-wheel vehicle, each a different size and a CISO is required to manoeuvre this vehicle. Now read this is conjunction with my earlier example of CISO as driver of the vehicle and visualize the situation of the CISO now. Building harmonisation within security teams is the key here to effectively manoeuvre the organisation’s cyber security strategy.
- Make risk identification a ‘Top-Down’ approach: Business risk identification has traditionally been a ‘Bottom-Up’ approach. This needs to decisively move to a ‘Top-Down’ approach as CISOs are expected to know the critical assets that need protection across all platforms that use/access the organization’s critical assets. This again, will help empower the security teams further.
- Part of digital decision-making: If an organization is planning to embark on a new digital platform it is critical for them to ensure that the CISO and his/her team has an understanding of the new platform and that they have sufficient time to build skills required to protect information assets. Hence, CISOs should be made part of any decision pertaining to adoption of new technology or organizational digital strategy. This will also bring the security team up-to-date on the new technology adoption within the organization and ensuing security challenges.
- Shift focus from prevention to resilience: In today’s world it is not a matter of whether you will be breached but rather when you will be breached. Hence, organizations should consistently invest on building resilience in the event of cyber attacks. This is a practical approach for the CISO and the security team to focus on to address the threats more effectively.
- Sufficient budget: Investment budgets are a bottle neck. This is a common refrain from the CISOs. Security budgets are always curtailed when incidents don’t happen. On the other hand, the flood gates open up the moment an incident occurs. This leads to a situation where a CISO is typically forced to manage an already stressful role with less resources and more risks. Adequate resources will empower the CISO and the security team to always remain in a battle ready mode.
- Earmark financial resources for regular up-skilling: Cyber security today is infinitely more complicated than ever before. CISO teams also need to undergo regular rigors to keep themselves abreast with the evolving threat landscape. Ensure that you earmark sufficient budget and ensure that every team member undergoes mandatory hours of training every year.
- Holistic approach towards security breaches: A CISO’s neck cannot be on the block all the time. A CISO may have defended the organization 99 times but pays a hefty price for the one time when the attackers got better. Often, when a significant breach occurs it is observed that the CISO’s team is the first to take the collateral damage. Organizations have to be pragmatic on this and have to adopt an approach where you actually find the root cause of how the security was breached and then take a holistic approach to determine actions. Unless proven to be negligence, it would be unfair to have the CISO and his/her team as a casualty as the rules of the games.
- Rigorous training to be battle-ready: Cyber security is mission critical for many industries and verticals, particularly in this day and age when there is cyber warfare and the involvement of state actors. It is only apt that it gets its due focus and diligence. A CISO and his/her team have to be as prepared as the army or any other law enforcement agency. They have to be battle ready and battle hardy. This can only be achieved by regular drills and exercises. Most organizations don’t bother. Even the ones who do have drills which leave much to be desired. Hence, there is a need for CISOs and their teams to undergo rigorous training to be battle ready.