Align your CISO with the CEO and create the right resources to manage your security posture
Over the last couple of months I have read numerous articles that reference the lackadaisical approach organizations are taking when it comes to cybersecurity. For example, CNBC recently reported findings from a survey commissioned by Tanium and Nasdaq. The survey returned alarming responses with more than 90 percent of corporate executives saying they cannot read a cybersecurity report and are not prepared to handle a major attack. Even more distressing was the report of almost half of those executives saying they didn’t feel responsible for the repercussions of a breach.
These results lead me to one of the biggest issues I see in the industry – security teams do not have enough visibility with executive leadership. We all can agree that any successful organization, whether it is a Fortune 500 or NFL franchise, must have buy-in at that the top and empower its people to do their jobs. Today, many CISO’s still report to the CIO instead of the CEO or board. This means cybersecurity is still seen as a technical issue verses a business issue.
Additionally, and maybe equally important, is the severe lack of skilled resources. The ISACA/RSA Conference survey reported organizations are having a difficult time hiring skilled people, and 53 percent of those organizations require at least three months to fill open cybersecurity positions and nine percent could not fill the positions at all.
If you are serious about protecting the confidentiality, integrity and availability of your organization’s information, you need to assign the right people to the right job and use the right reporting structure.
First, let’s tackle how to create more visibility with executive leadership.
Linking the CISO to CEO
As I mentioned before, the CISO should be properly aligned in your organization in order to create the most visibility between your organization’s security team and executives.
Now more than ever, security professionals must demonstrate expertise that aligns directly with the priorities of their organization. In order to do this, they must convince the CEO that security must be a core component of their business strategy and see the link between their strategy and the protection of information assets.
By giving security equal footing at the table with the CEO and board of directors, an organization can begin to reduce downtime and financial losses from cybersecurity incidents and engrain risk management into the DNA of their organization.
Next, you need skilled resources to put your cybersecurity programs to use.
Creating the right resources
Organizations can create the right cybersecurity resources by giving employees a chance to climb the security maturity scale. In the beginning, have them start performing procedures like capturing relevant information about the organization’s appetite and tolerance for risk, applicable or required regulations and standards and likely threats to your organizations assets. Then move them into a more risk-aware culture where they are developing continuous risk improvements and producing proactive approaches to changes in business, technology and compliance. This will not only create a more skilled workforce for your organization, but also provide the proper training for those managing your security posture.