The CISO’s job is about to get even harder in 2017. According to my crystal ball, the new year will bring many new concerns for CISOs. The best way to proactively deal with these inevitable surprises is to analyze and anticipate failures from years past.
Yahoo suffered the biggest bombshell breach of 2016 — indeed, the most expansive in history — when it disclosed that 500 million accounts had been compromised since 2014. The technology company later discovered that more than 1 billion accounts had been compromised since 2013.
Predicting the Top Three Concerns for CISOs in 2017
This breach and dozens of other high-profile incidents stem from the unwillingness of executive management to focus on security. With this in mind, the top three concerns for CISOs today relate to alignment with business needs, the industrywide skills shortage and the increasing sophistication of cyberthreats.
1. Aligning Security With Business Objectives
One of the primary concerns for CISOs involves balancing security transformation with the daily tasks necessary to reach business goals. IT managers must map out the security infrastructure within the context of business objectives. This is a challenge due to the difficulty of obtaining buy-in from other executives to fund IT projects.
The CISO must be a tough decision-maker and relentless in his or her pursuit of IT investment. Each investment must address the business strategy objective to be successful. Moreover, every project endeavor must correspond directly to the business objectives that will motivate executives to jump aboard.
2. The IT Skills Shortage
CISOs are also challenged with finding individuals who possess both technical and soft skills. These candidates must be able to engage and understand the business, making the CISO’s job much easier. Addressing the skill shortage goes hand in hand with aligning security with the business. It is difficult to find business-savvy candidates to help the organization align with its objectives and move forward. Aside from technical skills, business skills come with experience, time and maturity. Soft-skill competency is becoming far more important than technical skills in today’s corporate environments and directly affects security performance.
Business executive leadership often sees IT as risk-averse and incapable of fully understanding business objectives. CISOs often struggle to align security with business objectives because senior managers try to circumvent it. To address this, IT teams should become consultative resources to the business side. This will serve to vastly improve the soft skills of their personnel.
3. Sophistication of Cyberthreats
The third concern involves combating cyberthreats and keeping up with increasingly sophisticated attack methods. The most problematic threats are invisible ones, such as zero-day vulnerabilities. CISOs must also beware of state-sponsored cybercrime groups and the extensive surveillance and research methods they employ. These groups may search for reckless, disgruntled employees or plant contractors to infiltrate the organization, gather intelligence about the company and exfiltrate sensitive data.
These advancements are worrisome because they impact the CISO’s ability to address them head-on. The escalation of cyberthreats is overwhelming and no companies of any sizes simply can keep up with every threat that surfaces. The CISO must consider adaptive countermeasures to proactively detect advanced cyberthreats before it’s too late. For example, tools such as security behavioral analytics can be used to detect internal threats.
Unfortunately, board members often consider security gaps as a cost of doing business. They may align with the presentation you deliver but fail to grasp the impact, believing it costs more to fix the gap than to leave it vulnerable. Board members must understand the long-term repercussions.
Building a Security Strategy for the New Year
CISOs will surely meet challenges when crafting strategies that align with business objectives, address the skills shortage and counter advanced cyberthreats. To sell such a strategy to senior management, CISOs must establish various sets of reporting metrics against which the chief information officer (CIO) and other executives can measure security performance. The metrics should always be value-focused, performance-based and improvement-oriented.