CISOs are Awash in New Challenges


Posted on by Robert Ackerman

In some ways, CISOs have an enticing career. These executives, responsible for developing and implementing cybersecurity programs for corporations, are paid handsomely. The median U.S. CISO salary is $240,000 a year, plus bonuses, according to Salary.com, and as part of their work, CISOs hob-nob relatively often with high-profile corporate leaders on their board of directors.

Nonetheless, they have long had to cope with lots of stress and issues as they balance threat protection, data security, personnel and expenses, all while ensuring that security doesn’t interfere with agility or productivity. In recent years, this has also been aggravated by employees demanding more flexibility and frequently working from insecure networks and locations.

CISOs, once held in low regard because of their relatively narrow skill set, have finally managed to garner respect from their boards. Boards now take cybersecurity more seriously, and CISOs are more inclined to communicate effectively with board members. These days, however, they also often find themselves coping with a cornucopia of issues, including smaller budget increases than in the past and sometimes cuts, the rise of post-breach litigation, growing artificial intelligence-related challenges, and an explosion in digital transformation, which opens the door to more cyberattacks.

As a result, Proofpoint announced in its latest Voice of the CISO report that CISOs have returned to the elevated concerns they experienced early in the Covid-19 pandemic. This prodded tens of millions of additional U.S. employees to work remotely and in so-doing initially undermined security. Of the CISOs surveyed, 68% reported they feel at risk of a material cyberattack, compared to 48% in 2022. Sentiments about cybersecurity preparedness levels have also reversed.

Here are details about the latest issues confronting CISOs:

+ CISOs this year have struggled to get the size of cybersecurity budgets they believe they need. A recent study of 550 CISO respondents by IANS Research, a Boston-based consulting firm that provides CISOs with security insights, found that more than a third of companies have kept their cybersecurity budgets flat or cut them. Overall, CISO budgets have increased six percent this year -- down from 17 percent last year and 16 percent the year before. The decline in budget growth has been rife throughout the IT industry because it has been hit hardest in 2023.

+ A recent survey by Salt Security, a Silicon Valley-based company that specializes in API security, learned that almost half of CISOs were concerned about breach-related personal litigation. This reflects several high-profile CISO lawsuits in recent years. Accordingly, Salt says it knows of CISOs who are weighing the option of taking a role below CISO.

+ Artificial intelligence is a significant plus but not without its drawbacks in the cybersecurity domain. Increasingly, companies cannot rely on humans alone to deal with the complexity of their networks and the enormous amount of data generated in their networks. AI is now used by many businesses to manage infrastructure, interpret data and counter cyberattacks automatically. Within the realm of vulnerability management, as an example, thousands of new vulnerabilities are often identified annually, an information load unmanageable by humans. AI, on the other hand, can be used to prevent and manage threats quickly.

There are issues, however, because sophisticated cybercriminals also have access to AI and use it in new ways to make cyberattacks more effective and painful, according to research from Microsoft. Phishing emails and chatbots such as ChatGPT, created by AI, can also help attackers target and convince victims that the communication is genuine. Criminals have used AI to produce malware that can adapt to avoid detection, opening the door to an attack.

+ So-called digital transformation, which continues to soar, also produces unforeseen security risks. This refers to the integration of digital technology into all areas of business, creating new or modified products, services and operations by translating businesses processes into a digital format. Nearly 90 percent of CISOs in another Salt survey said digital transformation introduces unforeseen risks.

+ The federal government—specifically, the Securities and Exchange Commission (SEC) – is also piling on the workload of CISOs. By mid-December, it requires public U.S. companies to give investors current, consistent and “decision-useful” information about how they manage their cyber risks. The SEC rules also require that all material cybersecurity incidents be reported within four business days. CISOs are heavily involved in this project.

The required compliance isn’t as straightforward as it may seem. One challenge for companies drafting SEC disclosures, for instance, is the need to be compliant yet not give away confidential information about the organization’s cyber program, which conceivably could attract a fresh cyberattack. In addition, there are corporate questions about which criteria and considerations should be used to help CISOs determine whether or not an incident qualifies as material.

Realistically, CISOs aren’t in a position to resolve most of the aforementioned issues. What they can do, however, is build internal alliances to help enhance their effectiveness. If they are new to the company, they should immediately familiarize themselves with current and future strategies to make sure they best meet the needs of their enterprise. And whether CISOs are newcomers or not, they should also make a point of frequently engaging the company’s leaders, board members and rank-and-file employees. A good cybersecurity program always requires buy-in.


Contributors
Robert Ackerman

Founder/Managing Director, AllegisCyber Capital, & Co-Founder, cyber startup foundry DataTribe

C-Suite View

risk management governance risk & compliance policy management artificial intelligence & machine learning professional development professional development & workforce

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs