Balancing act: CISOs knife-edge role in modern cybersecurity
CISOs juggle accountability and tech amid rising cyber threats
As the risk of cyberattacks has increased in recent years, so too has the C-suite’s recognition of the importance of cybersecurity leadership.
The role of the Chief Information Security Officer (CISO) has thus emerged. Today’s CISO is regarded as a senior decision-making executive with the ability to make or break a company's security posture and potentially its future. This development is positive and a sign that the area of cybersecurity is no longer seen as a set of back-office processes and technical roles.
However, with greater visibility comes greater responsibility. The CISO is now constantly scrutinized by the board of directors, executive leadership, and the media. Any security violation is negatively associated with the CISO, and they can often rapidly be held to blame for a company's security issues.
The rise of cybersecurity’s perceived value, the exponential increase in the number of cyberattacks, and the ever-increasing use of AI and other advanced technologies in the field are putting the CISO on a knife edge that they now must traverse.
Global Director of Security at DXC.
Increased accountability
Governments are increasingly passing regulations that require businesses to implement specific cybersecurity measures and report on breaches in a timely manner. Company executives are increasingly being held to account.
A clear example of this was seen in late 2022, when an earlier cyber breach at Uber led to its CISO being found guilty of federal charges of covering up the incident, reporting details late, and omitting key information. He was sentenced to three years’ probation, narrowly avoiding jail with the judge commenting that if the same thing happened tomorrow, he would be serving time behind bars.
The verdict in this case sent a clear message to businesses that they cannot simply cover up data breaches and hope they will not be caught. If a business does experience a data breach, they have a legal obligation to report it to the authorities and their customers and this is fast becoming litigious in the US. This obligation is naturally centering around the CISO.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Similar expectations for CISOs and security teams are present in Europe. Enhanced personal liability and duty of care are becoming increasingly unavoidable for many industries under the NIS2 (Network and Information Systems Directive) - a directive to set higher standards for cybersecurity across the European Union - and DORA (Digital Operational Resilience Act).
This change is unnerving for CISOs as their role is officially recognized by regulators, shareholders, and customers. 62% cited concerns about personal liability in a recent global survey by Proofpoint, demonstrating the increased pressures of the role.
Advanced technologies
Cybercriminals are already experienced users of AI, with ransomware producers incorporating AI and machine learning techniques into their malware while using it to target specific victims and evade antivirus software detection. Such use of advanced technology is expected to continue as ransomware developers become more proficient in their tactics and multiply the challenges CISOs will face.
While AI can automate threat detection and response, it requires an understanding of past threat activity. As a result, cybercriminals are coming up with novel attacks that will slip past existing detection methods trained on historic data sets.
For CISOs, keeping pace with the rapidly accelerating cyber arms race will be challenging. For example, Quantum computing is moving from an experimental technology with limited applications to a practical technology with industrial and business applications. In the next ten years, quantum is expected to undermine many of the current encryption algorithms that are widely deployed in commercial and government applications. CISO’s need to plan to migrate their legacy encryption algorithms to quantum hardened encryption that pushes back the date for practical quantum computer decryption. Changes to key and certificate infrastructure takes planning and time to execute in any large and complex enterprise.
Cyber security skills
With the rise of cybersecurity attacks and the growth of the cybersecurity industry more broadly, CISOs face a persistent challenge in recruiting skilled cybersecurity professionals. Indeed, research by ThoughtLab shows that 60% of organizational decision-makers now agree that the global shortage of qualified cybersecurity staff creates additional risk to their business.
Automation has been a partial answer to this skills gap for CISOs, enabling them to automate AI-based security controls and response mechanisms, react faster and more accurately to cyberattacks, reduce possible downtime, and protect personal and business-critical data. This means that fewer resources are required to perform manual tasks, allowing CISO’s to redeploy their talent to oversee the AI tools and make critical decisions.
Today’s macroeconomic environment requires a workforce that can withstand change. Investing in new technologies and continuing to embrace AI and quantum computing will enable CISOs and security leaders to meet the latest challenges presented by cyber criminals. Moreover, while cybersecurity may have risen to the top of the C-suite agenda, this has not always led to adequate investment. CISOs and security leaders should make a clear business case for funding and investment to adequately protect their organizations and ecosystems from the ever-growing cyber threat.
Peter Scott is Global Director of Security at DXC. Peter has 25 years in IT. He previously held key roles at BT, having started his career at the UK Ministry of Defence.