Four reasons not to blame the CISOs
Written by Cath Goulding, Head of Cyber Security, Nominet
Let’s pretend my bank has been hacked and my account details swiped. I’m angry; who can I blame? The cyber criminal behind the hack is too obvious and ambiguous. Blaming myself for not setting better passwords is moot (it’s never my fault). Let’s blame the bank instead. More specifically, let’s blame the Chief Information Security Officer (CISO) at the bank. Cyber breaches keep rising; clearly the CISOs of the world are useless.
I’m being flippant of course, but it’s an easy conclusion to reach, especially in a climate of fear and uncertainty. Personal details are being stolen and we live in a society that likes to assign moral responsibility. Someone should take the fall — and a third of CISOs we researched for our new report, Life inside the Perimeter, admitted they expect to be fired or disciplined if the worst should happen.
Pinning the blame on the CISO only stops seeming obvious when you appreciate the myriad challenges that they are facing as cyber security evolves rapidly and the default finger of blame points at them. A CISO is only as good as allowed to be within the company culture and environment, and it’s time for all industries to better understand the challenges faced by the CISO to find a way to work with them, and not against.
Challenge One: Board-level buy in
Without support and backing, a CISO is largely powerless. Like all employees, the CISO ultimately remains at the mercy of the board and the C-suite, and their accepted definition of risk. Unless cyber security is escalated to a board level, and cyber risk viewed as seriously as other types such as financial and reputational, the CISO can often be restricted in their companywide plans to improve the cyber security of a business. Organisational investment in a CISO’s efforts, suggestions and expertise are paramount to allow them to make a difference.
Challenge Two: No silver bullet
There is no simple, isolated ‘fix’ for maintaining the cyber security of a business. It is less a destination than a journey, and one that requires continuous technical fixes alongside psychological shifts and operational behaviour change across all departments. Employee attitudes to cyber security are as important as software and firewalls, and a holistic approach to cyber security is the golden ticket to resilience. Business leaders need to stop expecting a silver bullet from their CISOs and recognise cyber security as a necessary, ongoing part of operations.
Challenge Three: Battle for budget
Our research shows that nearly 70% of CISOs found malware hidden on their networks for an unknown period of time, often missed due to a lack of resources. A company is fortunate to have a CISO, but it’s likely that the cyber security team will be under resourced and under pressure — not ideal conditions for progression and positive outcomes. This is compounded by the fact that budgets are finite and must be fought for — the tech team might be up against marketing for funds. Additionally, too many boards remain resistant to investing so much in what they see as maintenance of the status quo, without the lure of profit.
Challenge Four: Playing catch up
Many cyber criminals are experts that have chosen the dark side over the light, and the speed at which they evolve their techniques and innovations is alarming. Trying to keep pace with the changing nature of threats and means of attack is an endless process of learning and exploration, and an equal mix of trial and error. Fundamentally, it’s a basic law of averages that the tenacious criminal will sometimes beat the CISO in the race.
In short, being a CISO is a tough gig. Every single CISO we spoke to for our research said they find their work stressful. More worrying, nearly 17% are medicating or using alcohol to deal with their stress. Can we blame them? If you do a great job, no one notices; if it goes wrong, mud sticks, despite the complexity of the challenges faced by those trying to grapple with a difficult, ever-changing threat with the highest odds imaginable.
So, let’s not blame the CISOs when our personal details are compromised, but instead make sure we are each doing all we can to mitigate the harm of a breach on ourselves. Change passwords regularly or, even better, use longer passphrases, and avoid duplicating these across different accounts. Be vigilant and suspicious by default. Always pause before you respond to an email, click on the link or respond to a call — are they really who they say they are? You can check the information on their website and call or email them back. Use credit cards for the added protection they offer consumers, just in case you are caught out.
Sometimes blame is simply a means of responsibility-avoidance; it won’t ease the sting nor help avoid a further compromise in the future. This is an important lesson for businesses to grasp as cyber security becomes an ever-growing area of focus, and anxiety around cyber attacks balloons. Business leaders must start to understand the complexity of the challenge facing CISOs and fight the fear. Invest in their work and take ownership of cyber risk as much as financial, supporting the CISO’s work and giving them the space and power to make the changes needed. And then, if the worst should happen, ask not ‘who can I blame?’ but ‘what did we, the business, do wrong? How can we learn and improve?’.
Originally posted here
Originally published at digileaders.com on February 21, 2019.