The CISO is dead. Long live the CISO.

June 16, 2018//Ellen Neveux

More and more companies are hiring Chief Information Security Officers (CISOs) to navigate the rough waters of cybersecurity. The need for CISOs in enterprise organizations is at the height of importance with the increase in both ransomware attacks and data breaches in highly regulated industries. Long gone are the days where data breaches, ransomware, and other forms of cyberattacks were rare. Cyberattacks have an observable, but rarely reported effect on CISOs. With the almost daily data breaches, CISOs are realizing that there is a huge target on their back if, and when, a data breach occurs.

A CISO’s role

A little dirty secret of the IT industry is that many people within an organization don’t actually know what a CISO does. However those that do, see “information security” in the title of the job, and expect certain things. Because of these expectations, when IT failures occur fingers are often pointed in the CISO’s direction first. It stands to reason that anyone who manages information security should be accountable when a lapse in cybersecurity allows a data breach or ransomware attack. Though a CISOs responsibilities may differ from company to company the core role is well defined; a CISO is essentially a senior level executive who’s responsible for executing and overseeing the company’s cybersecurity strategy. So it stands to reason that the CISO role is often held accountable when a data breach, of any form, occurs. In fact, according to a survey reported by Tripwire, 21% of IT decision makers would most likely blame a data breach on the CISO. Remarkably the CISO position is second only to CEO when it comes to perceptions of accountability after a cyberattack. This goes a long way in explaining why the average tenure of a CISO is a mere 18 months. A CISO’s time may be short, but the potential impact of their role is mighty—data breach recovery can cost a company over $3 million in recovery and $1 million to discover a breach.

The CISO position isn’t really talked about in mainstream media, that is until a cyberattack is in the news. In other words, all news is bad news: whenever you get a notification, see a Tweet, or read an article about an organization getting breached, you’ll hear a CISO’s name. In fact, according to CSO Online, CISOs are fired regularly, with some of the top reasons being:

  • An inability to address risk to a satisfactory state and in an economical manner
  • Poor reporting
  • Exceeding a budget
  • Not following business strategies
  • Difficulty getting along with IT team

CISOs have an incredibly difficult job because they are expected to be able to secure an enterprise or organization from all angles and at all hours of the day. This is why when a cybersecurity issue arises, the fingers are pointed directly at the CISO.

The blame game

When a breach or ransomware attack occurs, consumers want to see that the person responsible for the attack is held accountable. Breaches are often the fault of an institutionalized failure of policy and not that of a single individual, however, because the policy often falls to the CISO, a CISO may lose their job in order for an organization to preserve their reputation with its consumers. Hence the average 18-month ticking clock.

Not only does a CISO have to worry about their actions, but they are also accountable for their team if it were to fail to detect or respond properly to a breach. CISOs are also expected to manage issues external to the company (e.g. those faults of a partner or third-party vendor) as well. Imagine an example where a third-party weakness is found that allows a bad actor to get into a network and cause measurable harm. A CISO will, more likely than not, be held accountable for this security failure.

Worse still, are the outliers: like the story of the Uber CISO participating in a data breach cover-up. A breach looks bad enough for a company, but a cover-up can destroy an entire companies reputation.

The CISO in highly regulated industries

It is difficult to talk about a CISO’s role without also mentioning compliance. A CISO is often responsible for monitoring regulatory compliance for whatever industry they operate in. No matter the regulatory standards in place, adherence to the compliance standards is expected. And this responsibility falls to the CISOs and they are expected to handle it all—from making sure the third-party vendors are granted proper access privileges to educating employees on the nuances of phishing emails.

What CISOs can do:

Because the CISO role is often on the chopping block in order to send a message after a public data breach, a CISO should act to preempt and anticipate failures in IT security.

  • Transparency is key: If a CISO finds out about a data breach or ransomware attack, it’s their duty to be up front and honest about it. This move can save an organization’s reputation and a CISOs job.
  • Reporting: Accurate, comprehensive, and consistent reporting of vulnerabilities are key. The size of the possible vulnerability should not matter, rather, anything and everything should be reported.
  • The right solutions and tools: This comes in many different forms, whether it be the IT team or the secure remote access platform used, CISOs must be aware of the tools and solutions they’re using. The wrong tools could be the difference between an 18-month tenure and a life-long job.
  • Open approach: In this case, honesty is the best policy. An open approach can aid in the prevention and detection of a data breach.

About SecureLink

Our sole focus is secure third-party remote access. For highly regulated enterprise organizations, SecureLink Enterprise has pioneered a secure remote access platform. SecureLink for enterprise allows an organization to identify, control, and audit third-party vendors. For vendors, SecureLink is the gold standard remote access support platform because it is easy, efficient, and ensures compliance and reduces liability when supporting customers.


Leave a Comment

close close