Today’s CISOs are well-informed and highly skilled individuals. However, even the best tech leaders can be prey to persistent myths and misjudgements...
Here's SC Media's lowdown of some of the top misconceptions plaguing CISOs:
#1 Thinking it’s just an IT problem
The security function doesn’t exist outside of the business. Threats and their solutions don’t involve just the IT department, and to properly protect the organisation, CISOs need to understand the business.
Richard Brinson, CEO of Savanti, points out that one survey shows that boards rank cyber security as a major concern, yet another report reveals that fewer than half had taken any dedicated action, such as requesting cyber security updates, conducting third party audits or involving themselves in their organisation’s cyber security.
“Boards and senior executives don’t know what they need, and CISOs have a mountain to climb in terms of closing that knowledge gap, he says.
“Yet too often, CISOs view themselves as advisers to the board, focusing on discrete functions that they deliver for and on behalf of the organisation, rather than viewing themselves as transformation leaders.”
#2 Treating systems as off-limits
We all know that running tests against production systems can be scary. But you need to think carefully about declaring any systems as off-limits.
“I have seen instances where CISOs didn’t want to scan any applications where the application environment or owner was unknown,” says Mark Townsend, VP of Professional Services at Invicti. “In many of these cases, they had no application inventory. CISOs are rightfully worried about creating electronic evidence of unpatched vulnerabilities because they are directly accountable if something is awry. However, ignorance is not a defence, and attackers don’t care about the owners or environments – they’re looking for the entry points that come with vulnerabilities.”
#3 Security as a feature
Too often, security is an afterthought. Or, at the very least, it’s thought about separately, as an adjunct to IT or business programmes.
“Companies see security as something that they need to add on to their systems, rather than something that should be integrated into everything they do,” says Aylin Sali, CTO and co-founder at Runecast. This can lead to inadequate security budgets, he adds, as security is, “seen as an optional extra rather than a vital part of the company’s infrastructure. It’s important to remember that security should be built into everything a company does, from the ground up.”
#4 A wrong approach to assets
One question CISOs must frequently ask themselves is, ‘what am I protecting?’. And they can get that answer wrong if their focus is on only those things that impact the business directly.
“When assessing assets, there has been a tendency to ignore data about customers/users/visitors, as leaking that data doesn’t directly harm the business,” says Jeffrey Goldberg, principal security architect at 1Password. “That thinking leads to the Equifax situation in which data on millions of non-customers was very badly protected. You are responsible for protecting that kind of information along with things that are more directly assets.”
#5 Failure to communicate
It would be easy to assume that a CISO’s core competencies are all about technology. However, the ability to communicate throughout the organisation is arguably more important.
“Being a strong communicator should be seen as a non-negotiable skill for every CISO,” says Brinson. “Research tells us that many CISOs fail because they’re unable to persuade business leaders that cyber security risk is not just a technical problem or a compliance exercise.
A recent report found that the most effective CISOs spend at least 75% of their time on stakeholder engagement, he adds.
#6 Security as a static state
In addition, a CISO’s job is never done. There’s a misconception that security is a static state that can be achieved and then maintained.
“In reality, security is a dynamic process that requires constant vigilance and adaptation,” says Sali. “As new threats emerge, old security measures may become obsolete or less effective. CISOs need to be prepared to evolve their policies and procedures to keep up with the latest threats.”
#7 It’s all down to you
Finally, there’s the idea that CISOs are solely responsible for the security of their organisations. “This is not the case,” says Sali. “Everyone in an organisation has a role to play in security, from the CEO down to the individual employees.”
Text by Steve Mansfield-Devine