The stakes are higher than ever for CISOs. Just one breach can be catastrophic for an organization, and new rules and regulations add even more pressure. We surveyed 200 CISOs on the current landscape, and asked a handful of them for advice on how to overcome today’s challenges. Here are some of the key recommendations for CISOs who are navigating today’s cyber landscape.
1. Stay Focused on Managing and Communicating Business Risk
“We should be adding value to the business, but we have to have a talk track so there is an understanding that we’re not just some entity that sits out there on its own island separate from the business. We are part of the business, and we enable the business to do what it needs to do successfully in a secure manner.”
-Richard LaTulip, field CISO at Recorded Future
To effectively manage cybersecurity risks, it’s essential for CISOs to align their efforts with the organization’s overall business goals. Instead of solely focusing on technical aspects, CISOs should actively engage with business leaders and stakeholders to identify and prioritize risks that could impact the organization. By adopting a risk-based approach, CISOs can allocate resources effectively and communicate the potential impact of cybersecurity incidents to the C-suite, enabling informed decision-making.
2. Get Business Leaders to Practice Worst-Case Scenarios
“Tension is not a bad thing, but it needs to be managed, and everybody needs to understand the roles that they play in those kinds of environments.”
-Carraig Stanwyck, head of global cybersecurity and compliance at Avnet
Preparing for worst-case scenarios is crucial in today’s cyber landscape. CISOs should collaborate with business leaders to conduct tabletop exercises and simulate cyberattacks to test the organization’s incident response capabilities. By involving key decision-makers in these exercises, CISOs can raise awareness about potential vulnerabilities, identify gaps in the response plan, and ensure a coordinated and effective response in the event of a real cyber incident.
3. Get Covered by D&O Insurance
“CISOs should be covered by the directors and officers (D&O) insurance. I advise them to talk to their management and HR to get that D&O insurance. And also I advise them to be ready to walk away if those needs are not met.”
-Dd Budiharto, founder of fractional CISO firm Cyber Point Advisory
Given the increasing personal and professional risks associated with cybersecurity, CISOs should consider obtaining D&O insurance. This type of insurance helps provide financial protection for CISOs in the event of legal actions or regulatory investigations related to cybersecurity incidents. By securing D&O insurance, CISOs can help mitigate their personal liability and focus on their primary objective of protecting organizations from cyberthreats.
4. Use SEC and Other Regulations to Drive Action From Your C-Suite
“You have to realize that you have some power now with the SEC rules. You have a hammer. You also have a lot of risk, but with that risk comes some power.”
-Aaron Shaha, CISO at CyberMaxx
With the introduction of stricter regulations, such as those from the U.S. Securities and Exchange Commission (SEC), CISOs can leverage these requirements to gain support and resources from the C-suite. By highlighting the potential consequences of noncompliance and the need for robust cybersecurity measures, CISOs can effectively advocate for cybersecurity initiatives, secure budget allocations, and ensure that cybersecurity is prioritized at the highest level of the organization.
5. Create a Documented Risk Acceptance Workflow
“I have a template I use for risk acceptances or control exceptions. And in my risk framework, I have a hierarchy. If it’s a low risk, the risk owner can accept it. If it’s moderate, then it goes up to the functional department head. Then if it’s high, it goes to me or a delegate on my team and the general counsel. And then, if it’s critical, it goes up that chain to the CEO.”
-Kayla Williams, CISO at Devo
To avoid unnecessary delays in decision-making and ensure a streamlined risk management process, CISOs should establish a documented risk acceptance workflow in collaboration with business stakeholders. This workflow should outline the criteria for evaluating and accepting risks, clearly define decision-making responsibilities, and provide a transparent framework for risk assessment and mitigation. By involving business stakeholders in this process, CISOs can ensure that risk acceptance decisions align with the organization’s risk appetite and strategic objectives.
Tap Into More Wisdom Today
CISOs face no shortage of challenges. Leaning on the collective wisdom of seasoned CISOs will help you succeed and navigate the complex challenges that come with the role. For more expert insights, download The Modern CISO: An Essential Guide for CISO Success.