January 11, 2017 By George Moraetes 3 min read

The CISO’s job is about to get even harder in 2017. According to my crystal ball, the new year will bring many new concerns for CISOs. The best way to proactively deal with these inevitable surprises is to analyze and anticipate failures from years past.

Yahoo suffered the biggest bombshell breach of 2016 — indeed, the most expansive in history — when it disclosed that 500 million accounts had been compromised since 2014. The technology company later discovered that more than 1 billion accounts had been compromised since 2013.

Predicting the Top Three Concerns for CISOs in 2017

This breach and dozens of other high-profile incidents stem from the unwillingness of executive management to focus on security. With this in mind, the top three concerns for CISOs today relate to alignment with business needs, the industrywide skills shortage and the increasing sophistication of cyberthreats.

1. Aligning Security With Business Objectives

One of the primary concerns for CISOs involves balancing security transformation with the daily tasks necessary to reach business goals. IT managers must map out the security infrastructure within the context of business objectives. This is a challenge due to the difficulty of obtaining buy-in from other executives to fund IT projects.

The CISO must be a tough decision-maker and relentless in his or her pursuit of IT investment. Each investment must address the business strategy objective to be successful. Moreover, every project endeavor must correspond directly to the business objectives that will motivate executives to jump aboard.

2. The IT Skills Shortage

CISOs are also challenged with finding individuals who possess both technical and soft skills. These candidates must be able to engage and understand the business, making the CISO’s job much easier. Addressing the skill shortage goes hand in hand with aligning security with the business. It is difficult to find business-savvy candidates to help the organization align with its objectives and move forward. Aside from technical skills, business skills come with experience, time and maturity. Soft-skill competency is becoming far more important than technical skills in today’s corporate environments and directly affects security performance.

Business executive leadership often sees IT as risk-averse and incapable of fully understanding business objectives. CISOs often struggle to align security with business objectives because senior managers try to circumvent it. To address this, IT teams should become consultative resources to the business side. This will serve to vastly improve the soft skills of their personnel.

3. Sophistication of Cyberthreats

The third concern involves combating cyberthreats and keeping up with increasingly sophisticated attack methods. The most problematic threats are invisible ones, such as zero-day vulnerabilities. CISOs must also beware of state-sponsored cybercrime groups and the extensive surveillance and research methods they employ. These groups may search for reckless, disgruntled employees or plant contractors to infiltrate the organization, gather intelligence about the company and exfiltrate sensitive data.

These advancements are worrisome because they impact the CISO’s ability to address them head-on. The escalation of cyberthreats is overwhelming and no companies of any sizes simply can keep up with every threat that surfaces. The CISO must consider adaptive countermeasures to proactively detect advanced cyberthreats before it’s too late. For example, tools such as security behavioral analytics can be used to detect internal threats.

Unfortunately, board members often consider security gaps as a cost of doing business. They may align with the presentation you deliver but fail to grasp the impact, believing it costs more to fix the gap than to leave it vulnerable. Board members must understand the long-term repercussions.

Building a Security Strategy for the New Year

CISOs will surely meet challenges when crafting strategies that align with business objectives, address the skills shortage and counter advanced cyberthreats. To sell such a strategy to senior management, CISOs must establish various sets of reporting metrics against which the chief information officer (CIO) and other executives can measure security performance. The metrics should always be value-focused, performance-based and improvement-oriented.

More from CISO

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today