As the role of the CISO now encompasses the need to understand more business-related competencies, they acknowledge that understanding industry and privacy regulations needs to be fully appreciated. They know that CxO management expects them to have an informed position for the company to remain compliant.
The research from F-secure says, CISOs need to continuously widen their internal and external engagements, primarily for two purposes. The first is obtaining business knowledge by interacting with areas such as COO, legal and M&A teams, allowing the CISO to appreciate how the company makes money and what risks (outside of security) could impact their objectives.
Secondly, widening their external network with more ‘peer group’ interactions and regulatory, trade and government agencies partners will provide them with new insights and also allow them to promote their role as a business enabler and extend the operational excellence of their business.
Driving the right behaviours:
CISO’s accepted the fact that greater soft skills will encourage more effective interactions. In the past the tone of security discussions was less about value and more about highlighting the fear, uncertainty and doubt (FUD) – encouraging the suggestion that ‘maybe we need more incidents to be taken seriously.’ This is an approach with limited utility and long-term downsides.
Approaching security issues with example anecdotes would help the CISO to convey risks and threats in a less intimidating manner. This kind of approach would boost the likelihood that the security message is clearly received and understood.
Ensuring that their security teams are effective remains a priority to the CISO. Engaging more effectively with their teams requires the CISOs to push their ability to improve their EQ.
The CISOs we spoke with want to explore new techniques to increase the value that each team member sees within themselves as a valued contributor. In realizing this, CISOs hope to create a more productive and rewarding environment that retains and seeds the individuals as part of the company’s long-term success.
If the CISO approaches their talent acquisition with the same attitude, they will be able to employ and retain staff to whom they can delegate greater responsibilities.
Some of the CISOs acknowledged that they break up their teams to proactively support different business units to achieve that unit’s objectives. However, when levels of engagement are low, some IT departments become reactive and wait for the security team to advise. This risks piling the workload onto the security team, requiring them to be experts across all technology.
Peer and line management’s understanding of how CISOs and their teams can help support and innovate business functions is not that difficult if you do it from the outset of a project, application introduction, change management adjustment and even at the integration or creation of new business units.
Security in security:
65% of the CISOs believed that, even with all the issues that the world has had to cope with in 2020, they feel more secure in their role. Only 37% of CISOs indicated that they are considering moving from the current position or leaving the industry.
Stress levels across CISO teams are being managed with 78% scoring consistently within the mid-range 4-7. Although when asked if the CISOs had recognized increasing levels of burnout in their teams, the same mid-range scored 71%, indicating that greater levels of engagement with the CISO, their security teams and the wider employee base needs to be undertaken in handling stress by the human resources and occupational health teams.
Trying to find 25 hours in a day, the ability to survive on very little sleep, being less worried and paranoid, as well as remembering they have a home to go to were not uncommon comments.
Budgets appear to remain consistent cross-industry, averaging 53%, with 39% of respondents seeing improvements in their budgetary spend. When asked about how CISOs allocate budgets between responsibility (company objectives) and accountability (delivering secure operations) of their role, 64% placed themselves directly in the middle (5).
CISOs accept that as a member of the senior management team they need to deliver on the business objectives, as well as ensure that their responsibilities to deliver a secure operating environment across the entire value and supply chains can be shared across their own and other teams.
The CISOs also admit that it is down to them to learn how to communicate in a clear and unambiguous manner about what they see as possible risks to the business, employees and consumers, and align these concerns to the enterprise risk management framework.
But it should never be down to the CISO alone to seek to help support the business. Instead, it should be a team approach with other peers, each valuing insights and suggestions to increase the security and effectiveness of the business. They do not have a sixth sense.
(Image Courtesy: www.firstwavecloud.com)