How to empower your chief information security officer (CISO)

With security being a vital aspect of company operations and digital transformation in a post-pandemic world of rising cyber attacks, the CISO provides that all-important leadership of protection protocols. The shift to remote working during the pandemic brought a whole host of challenges for CISOs to overcome, such as decreased controls due to a widespread use of remote devices, and keeping these devices up to date. To mitigate these challenges, organisations must empower their CISOs, providing them with the communication and resources required to keep the network secure.

Here are some of the ways that companies can empower their CISOs to excel in their ever-important position.

Ensure adequate resources

A recent report from Bloomberg Intelligence (BI) has predicted that global spending on cyber security could reach $200 billion a year by 2024, which demonstrates the importance of security in the IT budget. This, along with the right amount and skill levels of staff, is set to be vital for CISOs going forward.

“It is critical to ensure that CISOs are adequately resourced with budget and staff to stay current on threats, protection technologies/services, and best practices externally while creating and evolving company processes (training) and safeguarding internal hardware, software, networks, and services,” explained Michael Gurau, partner at Altman Solon.

“Competitive and peer responses, or lack thereof, to threats that might impact product performance or customer experience present the better-prepared opportunities for business advantage.

“Internally, leadership should encourage opportunities for sharing and collaboration between CISOs and executive, solution, service, and marketing leadership to explore, exploit, and reflect cyber-preparedness in offerings, marketing/messaging, and competitive situations.”

Ted Wagner, CISO at SAP NS2, added: “Funding the CISO’s budget is most important. While there are many considerations in allocation of scarce budget dollars, if the CISO’s priorities are funded, it speaks loudly to the rest of the organisation that security matters.”

Is your company spending enough on their cyber security budget?

How big is your cyber security budget? Probably not big enough. Organisations need to invest more in their security. Read here

Establish security principles

It’s important for the CISO and the rest of the company to be on the same page, and this is difficult to achieve without having a strong set of holistic security principles in place.

According to Grant Duxbury, director of pre-sales engineering at Aptum, “an enterprise is only ever as secure as its guiding principles.

“Visibility, for instance, is a vital part of the security equation. In an on-premises environment, the entire infrastructure operates within a single trusted domain under the administrator’s control. In public, private, hybrid and multi-cloud environments, that infrastructure can be spread across multiple locations and providers.

“In these situations, visibility can become harder to obtain but remains equally important. Tools that grant visibility across all infrastructure environments can deliver the insights CISOs need to understand where vulnerabilities lie.

“Additionally, a strong set of policies can empower CISOs to focus on individual applications and data as well as wider infrastructure. Staying on top of who has access to each application and who has control of important security tools limits the likelihood of rogue third parties gaining access to the system. Vetting all applications, networks, and devices alongside constantly checking the business’ risk tolerance with stress tests will reinforce CISOs efforts and enhance overall security.”

Creating and rolling out an effective cyber security strategy

This article will explore what it takes to create and roll out an effective cyber security strategy throughout the organisation. Read here

A risk-based approach

The new remote working environments that have been ushered in as a result of the pandemic has expanded the attack surface, meaning a need for added visibility over the network for the CISO.

According to Adam Palmer, chief cyber security strategist at Tenable, clear communication with the organisation’s board about possible risks can go a long way in empowering security leadership.

“CISOs will need to be aware, and effectively list the vulnerabilities before they inform the board of directors of what is being done and how to reduce and address them,” said Palmer.

“By using a risk-based approach CISOs can profile the distributed risk across the extended enterprise, and explain this in the boardroom in the same business terms other functions use so all can understand and evaluate any controls that need to be implemented to address that risk effectively and cost-efficiently.

“It will be tempting for management to purchase additional tools to alleviate the overall risk levels, and it is important to remember that a magic bullet is not the only solution.

“What will be more meaningful is to understand – and systematically demonstrate – is the reduction of risks by prioritising those that affect critical assets to the business – those that it can’t function without. If CISOs embrace these basic best practices, it can go a long way to reducing the risk levels in further challenging circumstances.”

Mitigating security risks when returning to the office

Chester Wisniewski, principal research scientist at Sophos, discusses how IT teams can mitigate security risks when returning to the office. Read here

Engaging with customers

Another way to empower your CISO is to encourage engagement between them and the company’s clients, providing them with the opportunity to share their expertise externally.

“CISOs can be invaluable when talking with prospective customers, providing a level of knowledge and trust that comes with being separated from any sort of sales organisation,” said Andrew Daniels, CIO and CISO at Druva.

“Customers often want to know how a vendor keeps them safe, and by extension, your own company safe. CISOs are the best individuals to answer these questions, which can sometimes make or break a deal.

“The work undertaken by a CISO can help uphold an organisation’s reputation, which will allow the business to achieve more growth and scale. Encourage and provide opportunities for your CISO and security organisations to have this connection and conversation with customers. It will do wonders for retention and trust.”

Information Age roundtable: how to successfully engage customers post-pandemic

A recent Information Age and Informatica roundtable explored how companies from various sectors can successfully engage with their customers in a post-pandemic world. Read here

Establish a security culture

Finally, a useful way to make your CISO feel empowered to perform their role to the best of their ability is to establish a security culture.

Ellen Benaim, CISO of Templafy, explained: “An important aspect of your CISO’s job is ensuring other employees are aware of their responsibility in relation to security. Therefore, one way to empower your CISO is to create a security-focused culture that entitles all employees across the whole organisation to make the right decisions regarding security.

“By holding a weekly meeting that commits to five to ten minutes to talk around the subject matter of security, such as discussing the latest risks and how to mitigate them, you can make sure every employee feels security is relevant to them. Collaboration is key.

“The more collaborative CISO’s are with their workforce, the more they can engage in what employees see every day, ensuring they have the tools and knowledge to follow best practices.

“By making sure organisations can trust the entire workforce with sensitive information, you are empowering your CISO to be able to operate in the most efficient and effective way possible.”

Avatar photo

Aaron Hurst

Aaron Hurst is Information Age's senior reporter, providing news and features around the hottest trends across the tech industry.