It is no secret that today’s Chief Information Security Officers (CISOs) must juggle a heavy set of responsibilities. They face a threat landscape more dynamic and complicated than ever before, a public with a greater awareness of that threat landscape than ever before, and regulatory frameworks which can mean substantial fines and reputational damage if their organisation fails to meet its requirements.
While the threats to the organisation as a whole when CISOs are operating under such pressure are well-documented, the threats to the wellbeing of those individual CISOs can receive less attention.
The risks: the organisation and the individual
CISOs today face rising workloads and dwindling resources, which can rapidly lead to unmanageable pressure and stress, severely affecting health, happiness and productivity. In turn, this can lead to major security and regulatory compliance issues. These are risks the entire leadership team should be concerned about, not the CISO alone.
According to a survey by RiskIQ, a huge 89.1% of all information security leaders are concerned about the rise in digital threats. On the one hand, this is hardly surprising. Protecting the organisation against such threats is the CISO’s core responsibility, after all. But dig a little deeper into the statistics, and we can see that the major concern is not the threat themselves, but inadequate staff resources to deal with those threats on a daily basis. Meanwhile, CISOs reportedly feel overwhelmed because they are increasingly responsible for a fast-moving and diverse portfolio. Multi-cloud and hybrid cloud deployments are complex and ever-changing.
And what happens if CISOs are unable to cope with the multitude of threats, highly complex infrastructures and staff shortages they are expected to manage? Potential devastating for the business. Revenue and reputation alike could come crashing down; regulatory compliance failures could mean serious fines and restrictions. We’ve all seen the ICO flexing its muscles with BA and Marriott recently.
But there is also mental and physical health to think about, with 17% of CISOs turning to medication in an attempt to cope with their workload, according to a report by Nominet. The same report shows a short-term retention rate for CISOs ranges from less than two years to less than three years, underlining just how many people in these positions feel unable to continue in them long-term. Furthermore, many CISOs do not feel that they have the support of their colleagues for what they are trying to achieve; just 52% of CISOs feel they are taken seriously by their executive teams.
So what can CISOs and their organisations do to ensure appropriate support is in place?
The recommendations: culture and communication
The starting point for alleviating pressure on the CISO has to be the organisational culture – because it is from the culture that everything else flows.
Your organisation must find ways of making CISOs feel more supported and less isolated, which means both are enabling them to ask for help, and alleviating some of the areas that they have responsibility for.
For example, communicate to staff the importance of taking personal responsibility for good habits that don’t leave organisations vulnerable to security breaches or compliance failures. This not only actively enhances the organisation’s security posture – as we know, human error and careless are always the weak links in the corporate security chain – but also increases the visibility of the CISOs role and creates a greater sense of shared responsibility. CISOs are always fighting for security to be ‘baked into’ the brand, not seen as an add-on – this is something that can be led by senior management.
The roles and responsibilities of the CISO at McKesson
And communication runs both ways. CISOs must be able to communicate the challenges they face, the pressure they are under, and the support they need to other senior managers, and to the board. Only with all members of the senior team on the same page in terms of taking security and compliance seriously will CISOs feel that they are not operating as an island.
Then there’s the question of greater collaboration between the work of the security and IT operational teams. This can ensure there is a joined-up risk strategy that takes the work and objectives of both teams into account. Regular staff training can help all employees understand the nature of and signs of potential data security risks. And there may or may not be a need to hire more security personnel internally, though a more flexible and cost-effective approach can be to turn to a third-party, who can act as an extension of your IT security team.
From a technology perspective, the organisation must take technical steps to make the CISO’s job easier. For example, managing key business systems and processes in a centralised and accessible platform rather than it being spread across different platforms or spreadsheets can help CISOs stay on top of threats across all platforms. Likewise, introducing integrated risk management tools, which can enable businesses to make decisions which support the overall risk posture, rather than battling with it.
Who is responsible for cyber security in the enterprise?
Similarly, organisations must ensure that all steps are taken to keep data that is shared in the cloud as secure as possible; for example, only sharing data on a ‘need to know’ basis. Using methods from automated tools to manual penetration testing will help organisations ensure they detect potential complex and multi-layered attacks and stay on top of their threat landscape.
As digital threats continue to develop and diversify, enterprise network infrastructures become more complex, and staff resources stretched, it is no surprise that CISOs are becoming overwhelmed. Their job is vitally important; no one said it would be easy. But they can still be supported with intelligence and ethics; by taking these steps, your organisation can ensure the CISO gets the support they need to do their best while managing the pressure that comes with the role.
Mike Harrison, Commercial Director at SureCloud