What do CISOs care about?
BlueFort Security Ltd
Empowering CISOs to streamline and strategically optimise cybersecurity investments for cutting-edge threats
Security is as strong as the weakest link.
For businesses and organisations today, there are plenty of potential cybersecurity weak links to worry about.
For example, there's the increasing move to edge computing which expands the attack surface. The company network and datastore are no longer kept with a single central perimeter - the castle-and-moat model.
With companies utilising multiple clouds, remote working, mobile devices, working from home, human errors and IoT (Internet of Things) devices, there are many more endpoints and potential weak links for hackers to exploit.
The pandemic has intensified the CISO's role dramatically, but the buck still stops with them.
In this article, we'll look at the top concerns for CISOs, and how all employees have a responsibility for cybersecurity.
Top concerns for Chief Information Officers (CISOs)
Cybersecurity challenges are continuously changing and increasing, and of course in 2020 businesses had to enable remote working overnight, arguably without planning or preparation.
This meant CISOs had to:
Let's dip our toes into the ebb and flow of the river of cybersecurity and review some of the primary issues CISOs must navigate.
Growing frequency of cyber attacks
Probably the top concern for CISOs: cyberattacks are increasing hugely.
Off-the-shelf hacking tools enable less technical criminals to enter the world of cybercrime, plus there's the attraction of potentially big money to be made and plenty of sensitive data to hijack.
The current climate of working from home, edge computing, multiple perimeters to secure, etc, encourages cyber attacks further.
Expansion in attack opportunities
The increase in companies hosting their data in multiple clouds, a new culture of remote and distributed working, and the growth of IoT (Internet of Things) devices - all help to expand the potential attacks surface as data is stored, managed and processed from many sources.
Cloud services vulnerabilities
Multi-cloud environments can present new challenges for CISOs and virtual SaaS CISOs.
Misconfigured cloud servers, insecure APIs, and employees downloading insecure public SaaS (software as a service) tools - all increase an organisation's vulnerabilities, which in turn increases the CISO's cybersecurity workload.
领英推荐
Scarcity of cybersecurity expertise and experience
A good cybersecurity team, however big or small, can be the best form of defence against hackers and other cybersecurity issues. The global demand for IT security professionals has outstripped supply. This in turn means a CISO and his team can be stretched thin, making it harder to manage cyber risks effectively.
Lack of buy-in from company directors
Boards and CISOs often speak different languages and are from different backgrounds. The CISO is surrounded daily by technical concepts, jargon and acronyms that will often mean nothing to the Board. So it can be tricky to convey threats, risks and opportunities in a way that's meaningful to Board members.
At the same time, CISOs are increasingly having to step out of the (virtual and physical) server room and into the Boardroom. These days, a good CISO needs excellent business strategy, operations and risks knowledge, in addition to their traditional technical know-how.
Budget constraints
It's often difficult to show clear returns on cybersecurity investments, compared to other department's budget requests. This makes it hard for CISOs to secure essential larger budgets. It's even tougher for smaller organisation's budgets, potentially leaving them more vulnerable to cyber threats.
Need for wider cybersecurity awareness
People are the weakest link in the network security chain. For example, it just takes one mouse click for an employee to fall for a phishing scam that invites malware into the company's network.
Companies and CISOs need to create a security culture as part of the broader corporate culture. Each employee needs to almost be their own CISO. They need to be aware of their day-to-day cybersecurity duties and responsibilities. They need to understand their role in preventing attacks.
This takes nurturing, training and time. It takes impactful company-wide cybersecurity structures and policies to be in place.
This nicely leads into a further word about responsibilities.
Cybersecurity responsibilities
While the CISO will have high-level expertise and experience, all employees have a role to play in cybersecurity.
As said above, people can be the weakest link in the cybersecurity chain.
Conversely, cybersecurity in the workplace is significantly enhanced when all employees understand its importance and know exactly what to do - and not to do - to maintain security.
As mentioned earlier, the current climate of working from home, and employees using their own devices for work tasks, create further cybersecurity challenges. It's incredibly difficult, if not impossible, for an IT department even in a small company, to secure everyone's mobile devices, home laptops, etc.
Hence the emphasis on staff taking some degree of responsibility for their corner of the company's digital perimeter.
What's next?
Hopefully, this article has given a helpful insight into priorities for CISOs, and why cybersecurity isn't just their responsibility.
If you need help and advice with cybersecurity, however large or small your organisation is, just give BlueFort Security a call - 01252 917000. Email - [email protected] or use our contact form.