Balancing act: CISOs knife-edge role in modern cybersecurity

A digital padlock on a blue digital background.
(Image credit: Shutterstock / vs148)

As the risk of cyberattacks has increased in recent years, so too has the C-suite’s recognition of the importance of cybersecurity leadership.

The role of the Chief Information Security Officer (CISO) has thus emerged. Today’s CISO is regarded as a senior decision-making executive with the ability to make or break a company's security posture and potentially its future. This development is positive and a sign that the area of cybersecurity is no longer seen as a set of back-office processes and technical roles.

However, with greater visibility comes greater responsibility. The CISO is now constantly scrutinized by the board of directors, executive leadership, and the media. Any security violation is negatively associated with the CISO, and they can often rapidly be held to blame for a company's security issues.

The rise of cybersecurity’s perceived value, the exponential increase in the number of cyberattacks, and the ever-increasing use of AI and other advanced technologies in the field are putting the CISO on a knife edge that they now must traverse.

Peter Scott

Global Director of Security at DXC.

Increased accountability

Governments are increasingly passing regulations that require businesses to implement specific cybersecurity measures and report on breaches in a timely manner. Company executives are increasingly being held to account.

A clear example of this was seen in late 2022, when an earlier cyber breach at Uber led to its CISO being found guilty of federal charges of covering up the incident, reporting details late, and omitting key information. He was sentenced to three years’ probation, narrowly avoiding jail with the judge commenting that if the same thing happened tomorrow, he would be serving time behind bars.

The verdict in this case sent a clear message to businesses that they cannot simply cover up data breaches and hope they will not be caught. If a business does experience a data breach, they have a legal obligation to report it to the authorities and their customers and this is fast becoming litigious in the US. This obligation is naturally centering around the CISO.

Similar expectations for CISOs and security teams are present in Europe. Enhanced personal liability and duty of care are becoming increasingly unavoidable for many industries under the NIS2 (Network and Information Systems Directive) - a directive to set higher standards for cybersecurity across the European Union - and DORA (Digital Operational Resilience Act).

This change is unnerving for CISOs as their role is officially recognized by regulators, shareholders, and customers. 62% cited concerns about personal liability in a recent global survey by Proofpoint, demonstrating the increased pressures of the role.

Advanced technologies

Cybercriminals are already experienced users of AI, with ransomware producers incorporating AI and machine learning techniques into their malware while using it to target specific victims and evade antivirus software detection. Such use of advanced technology is expected to continue as ransomware developers become more proficient in their tactics and multiply the challenges CISOs will face.

While AI can automate threat detection and response, it requires an understanding of past threat activity. As a result, cybercriminals are coming up with novel attacks that will slip past existing detection methods trained on historic data sets.

For CISOs, keeping pace with the rapidly accelerating cyber arms race will be challenging. For example, Quantum computing is moving from an experimental technology with limited applications to a practical technology with industrial and business applications. In the next ten years, quantum is expected to undermine many of the current encryption algorithms that are widely deployed in commercial and government applications. CISO’s need to plan to migrate their legacy encryption algorithms to quantum hardened encryption that pushes back the date for practical quantum computer decryption. Changes to key and certificate infrastructure takes planning and time to execute in any large and complex enterprise.

Cyber security skills

With the rise of cybersecurity attacks and the growth of the cybersecurity industry more broadly, CISOs face a persistent challenge in recruiting skilled cybersecurity professionals. Indeed, research by ThoughtLab shows that 60% of organizational decision-makers now agree that the global shortage of qualified cybersecurity staff creates additional risk to their business.

Automation has been a partial answer to this skills gap for CISOs, enabling them to automate AI-based security controls and response mechanisms, react faster and more accurately to cyberattacks, reduce possible downtime, and protect personal and business-critical data. This means that fewer resources are required to perform manual tasks, allowing CISO’s to redeploy their talent to oversee the AI tools and make critical decisions.

Today’s macroeconomic environment requires a workforce that can withstand change. Investing in new technologies and continuing to embrace AI and quantum computing will enable CISOs and security leaders to meet the latest challenges presented by cyber criminals. Moreover, while cybersecurity may have risen to the top of the C-suite agenda, this has not always led to adequate investment. CISOs and security leaders should make a clear business case for funding and investment to adequately protect their organizations and ecosystems from the ever-growing cyber threat.

We've featured the best business VPN.

Peter Scott is Global Director of Security at DXC. Peter has 25 years in IT. He previously held key roles at BT, having started his career at the UK Ministry of Defence.

Read more
Cyber-security
Dealing with the issue of CISO stress
Cyber-security
Security leaders don't want to be held personally liable for attacks
Cartoon Phishing
Hackers use GenAI to attack more frequently and effectively
A digital representation of a lock
Exploits on the rise: How defenders can combat sophisticated threat actors
An image of network security icons for a network encircling a digital blue earth.
Why effective cybersecurity is a team effort
A padlock resting on a keyboard.
AI-powered cyber threats demand enhanced security awareness for SMEs and supply chains
Latest in Pro
Google Gemini AI
Gmail is adding a new Gemini AI tool to help smarten up your work emails
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Coinbase targeted after recent Github attacks
IBM office logo
IBM to provide platform for flagship cyber skills programme for girls
Teams
Microsoft Teams is finally adding a tiny but crucial feature I honestly can't believe it never had
Oracle
Oracle denies data breach after hacker claims to hold six million records
Judge sitting behind laptop in office
A day in the life of an AI-augmented lawyer
Latest in News
Tesla Roadster 2
Tesla is still taking deposits on its long overdue Roadster, despite promising it would arrive in 2020
Samsung HW-Q990D soundbar with Halloween theme over the top
Samsung promises to repair soundbars bricked by its disastrous software update for free – but it'll probably involve shipping
Google Gemini AI
Gmail is adding a new Gemini AI tool to help smarten up your work emails
DJI Mavic 3 Pro
More DJI Mavic 4 Pro leaks seemingly reveal launch date, price and key features of the triple camera drone – here's what to expect
Android 16 logo on a phone
Here's how Android 16 will upgrade the screen unlocking process on your Pixel
Man sitting on sofa, drinking coffee, looking at phone in surprise
Thousands of coffee lovers warned to stop using their espresso machines immediately after reports of burns and lacerations