With sophisticated cyberthreats on the rise, businesses and CISOs must continue to evolve by using novel strategies and technology. The challenges that face CISOs are also forcing businesses to pivot, adjusting their cybersecurity strategies to meet post-pandemic objectives. And the stakes have never been higher.
Industry surveys revealed that CISOs will continue to invest niche spending in the areas of perimeter security, next-generation identity and access controls, remote access, security automation, and security training. But there are still areas of the cyber landscape that pose unsolved challenges. CISOs should address these challenges as a way to propel their business strategy forward and gain a competitive edge. This goes beyond simple cyber strategy to address business challenges created by evolving technology.
Without visibility into digital infrastructure, it will be difficult for companies to recognize when, where, or why there is a problem. Today’s typical enterprise environment, though, can make that necessary visibility difficult. CISOs also need to rethink their analytics strategies, with an eye on deploying analytics designed for the volume and nature of today’s data, both structured and especially unstructured.
CISOs should be looking for ways to build a 360 degree view of their cybersecurity position and finding the critical missing pieces that will bridge the visibility gap. The best way to begin any compliance or security program is to assure telemetry at the endpoint. Additionally, by reducing false positives, CISOs get a clearer picture of cyberthreats such as vulnerabilities, un-patched systems, and misconfigurations.
Technology-fragmentation & Sprawl
Part of a CISO’s job has an impossibility element. Their teams are supposed to protect against future cyberattacks, with the nature, method, timing, scale, and identity of those attackers unknown.
In an effort to strengthen their security postures, CISOs may struggle with how to balance agile-best integrated options with fragile, fragmented, best-of-breed options. The last thing a CISO wants to do is rip and replace the tooling, leaving unknown vulnerabilities exposed. But this can lead to technology sprawl.
The CISO’s role within cybersecurity is not to simply put technology in place for sake of security but to put technology in place that contributes to business success while ensuring cyber risks are either reduced or eliminated.
A company may have more than 100 third-party security tools in use. In many cases, that number is driven by the CISO’s expanding mandate—and desire not to be the one who cancels the tool that might prevent the next big breach.
A duplication of security controls, policies, frameworks, and vendors across IT only drives complexity further. With the continued expansion of data regulations, data-sovereignty laws, and customer interest in data privacy, the CISO is increasingly asked to add tooling, process, and prioritization to retrofit privacy into security.
CISOs need to work with cybersecurity providers to help reduce complexity (or at least not add to the sprawl):
- Deploy a product that takes over incumbent functionality, generates data to show the efficacy of the new layer offering and enables the sunsetting of old, legacy approaches.
- Maintain relationships with major cloud platforms, emphasizing native integration with software and platform leaders, as hybrid scenarios with on-premises, public- and private-cloud expand.
- Engage all stakeholders, make business-based simplification decisions, and don’t put all the cybersecurity burden
- Organizations should empower their CISOs to make risk-based simplification decisions,
- To manage the skill gap, CISOs should work with cybersecurity providers to focus on offerings that are not as people intensive to deploy and manage or maintain.
- Move away from the approach of product-delivery deployment and moving toward annual subscription models that include service delivery.
The cybersecurity talent shortage is a massive problem, and it’s affecting both businesses and security providers. It is indeed difficult to find a CISO with both technical and leadership (or strategic) skills. With more than 3.12 million jobs in cybersecurity estimated to be unfilled in 2021, the talent shortage is affecting businesses of all sizes.
There is a gap not only in finding CISOs for large enterprises, but also in providing fractional CISOs to smaller companies that don’t need a full time CISO. The gap continues to grow as more companies ask for those critical CISO services.
In cybersecurity is “there is no one-size-fits-all solution,” the same can be said for the CISO. It isn’t a cookie cutter position. Not all CISOs are equal and not all businesses are the same. To find the right CISO, it is important to search for a CISO who understands the industry. A CISO with the right technical skills is the most difficult to find. Executives want a CISO who has leadership skills, technical skills and an aptitude in security.
Primarily AI and machine-learning has helped slightly, especially in a security-operations center dealing with an active cyberattack. But the technology is primarily supplementing security analysts, allowing human capacity to be more efficient and to focus more on tasks where their experience and creativity are essential.
Companies are moving away from the approach of product-delivery deployment and moving toward annual subscription models that include service delivery to ease the human talent shortage.
The most successful cybersecurity program is one that no one notices and that enables the underlying business to function unhindered. Businesses today struggle with understanding how to measure the ROI of cybersecurity, as well as how to communicate its value to internal stakeholders, such as C-suite and board members.
How do CISOs balance implementing the right cybersecurity programs while demonstrating ROI?
- Business value. The security program should reflect the priorities of the business. When business priorities change, the CISO should adjust the security program to the new priorities.
- Customer value. Does the customer see the businesses security capabilities as a differentiator? Customers should be clear that a business is doing everything possible to manage risk and protect PII.
- Market value. Do external stakeholders, including investors, vendors, and third-party supply chains, understand the organization’s security journey and the impact of the security team over time? Are security capabilities included as part of the company’s valuation?
- Maturity in no way guarantees resilience, but it does help define and measure ROI appropriately.
Most businesses don’t have the resources to employ a full-time CISO, and often don’t know exactly how to articulate the needs and responsibilities a CISO would undertake. SMBs typically outsource CISO services to a skilled cybersecurity provider that understands their industry. This allows business leaders to stay focused on business management while an experienced, cost-effective CISO manages their security and compliance.
ACE IT Solutions offers outsourced CISO services to businesses looking to get more ROI out of their cybersecurity investments. Contact us at email@example.com or 646.558.5575 to set up a consultation about our CISO services.