March 30, 2017 By George Moraetes 2 min read

The role of the CISO is more complex than ever. One major factor contributing to this CISO complexity is the growing number of regulatory compliance requirements with which organizations must comply. There are also industry-specific standards muddying the water. Financial services, for example, are heavily regulated in the U.S. and the European Union (EU). These regulations are rapidly changing, and it is very difficult for CISOs to keep up with all mandates.

CISOs are often confronted with organizational business units that simply accept risk instead of attempting to mitigate it with regulatory and security compliance. It is difficult to justify this problem to regulators who often see it as a black-or-white issue — either you’re in compliance or you are not. CISOs have a tough time addressing this gap in the ever-changing regulatory environment.

Getting Executives on the Same Page

The heightened awareness of executives and boards of directors also contributes to CISO complexity. Through collaboration with other organizations, these executives are becoming more sensitive to the importance of security. They have seen other organizations suffer data breaches and heard of the masses losses, and they want to know that their own critical data is protected.

The seemingly insurmountable threat landscape adds even more complexity. Cybercriminals are becoming more sophisticated, and everything from state-sponsored attacks to organized criminal campaigns are occurring around the clock. Advanced defensive solutions can be helpful but may also be difficult to operate, adding yet another layer of difficulty.

Listen to the podcast: Tell it like it is… but in English

Zooming In on the Big Picture

Complexity is not necessarily a bad thing, but understanding what causes it goes a long way toward dealing with it. CISOs must understand what creates complexity in their organizations. They should, for example, remove any tools that do not add value and delegate tasks to direct reports whenever possible.

Organizational complexity creates big obstacles that make it difficult to get things done. Executives and board directors often lack a realistic understanding of how information security and the related challenges actually affect their businesses. I’ve noticed that many leaders simply revert to past personal experiences to address security issues from a big picture perspective, yet they fail to understand or consider the consequences of that, especially as it relates to employees. It could result, for example, in inadequate processes and ambiguous role definitions.

What Drives CISO Complexity?

Security leaders must identify pockets of individual strength and weakness in their departments to effectively deal with these challenges. It is important to properly delegate work to individuals who can deal with delicate situations and also to train others to develop the required skills. This enables the CISO’s staff to create and use networks within organizations to build relationships. A team effort is required to overcome poor processes, manage complexity and bridge organizations silos.

Organizations have varying degrees of complexity due to both internal and external factors. To top it all off, security staff members view complexity differently than executives. Those stakeholders must recognize how their staff deals with complexity and develop an understanding of what drives it.

More from CISO

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today