“Without this, CISOs don’t know what to prioritise or how to get buy-in,” she explains. CISOs who don’t prioritise stakeholder engagement are also more likely to face resistance from their executive colleagues and possibly even see their funding for projects clipped. “CISOs may look at their strategies and think they did everything,” she says, but they won’t have a full picture of enterprise risks unless they’re working with stakeholders to co-create and co-design cybersecurity strategies alongside business strategies.
Keeping security within the security department
Building a great security team but failing to create a security-minded culture throughout the enterprise is a surefire way to undermine success, the experts we spoke with say.
Statistics bear that out. Verizon’s 2021 Data Breach Investigations Report found that 85 per cent of the breaches in 2020 involved a human element.
As Om Moolchandani, CISO and head of research at the cloud tech company Accurics, puts it: “A click on one wrong link could undermine the whole CISO agenda.”
CISOs must develop effective security awareness and training programs aimed at helping all employees understand that they have a role to play in security.
“Culture is important because it’s a force multiplier for the CISO and his or her organisation,” Morrison says. “Almost every attack is accomplished today through a compromised credential or some violation of personal trust—social engineering, phishing, getting a password. So, effective security has to include making everyone who is a target aware [of those risks]; it has to include making security everyone’s job.”
Overlooking your own security workers
Similarly, CISOs who neglect their teams and the culture of their security department will quickly find that the security program suffers as a result, veteran security leaders say.
“People often think of team toxicity or poorly functioning teams as affecting the individual, but it also impacts cybersecurity posture and risk,” says Budge, whose research focuses on enabling the success of the CISO role; creating transformational cybersecurity strategies; and building security awareness, behavior, and cultural programs.
She adds: “If your team is busy fighting, if they’re calling HR, they’re not innovating, they’re not automating, they’re not thinking about the bigger picture or strategy. And that all leads to a nonfunctioning security team.”
Unhappy workers are also more likely to leave. That will likely leave CISOs not only short-staffed but facing an even more difficult time getting new hard-to-get security experts. Afterall, what security worker would want to join an unhappy team when there are plenty of job opportunities out there?
That negatively seeps into the broader organisation, too, she says. “It then further adds to the negative impression of security. [Other employees will think] ‘We can’t speak to them, they can’t even speak to each other.’”
If CISOs find themselves presiding over a toxic culture, they need to muster their leadership skills to implement the management and workplace strategies, such as teambuilding programs and training programs, that can put their departments on a better path, Budge says.
Falling for the new stuff
CISOs have their pick of a growing number of emerging technologies and processes, such as extended detection and response (XDR), behavioral analytics, threat hunting and the zero trust model. But those advanced options won’t deliver real security gains if CISOs aren’t executing perfectly on the more basic elements of a solid security program and if they haven’t tuned them all to the specific needs of their own organisation.
“What we’ve seen recently when we do analyses on breaches, there are technical loopholes or security flaws that the adversaries took advantage of,” Moolchandani says.
To be truly effective, he says organisations need security programs that are tailored to their particular risks and most likely source of threats. A utility, for example, is more likely to be targeted by hacktivists and nation-state actors than a small-scale retailer, while they both are vulnerable to attacks of opportunity. CISOs who understand those points tailor security strategies to the organisation’s particular requirement. And focusing on perfecting the basics of cybersecurity can, in Moolchandani’s words, “provide the maximum value even with the limited budgets they have.”