‘Tis the season of giving gifts, charity, and holiday cheer. As much as a Chief Information Security Officer (CISO) likes to celebrate the end of another year, there is still plenty of work to do because, as we all know, cybersecurity threats aren’t going away anytime soon.
Since this is the time for making a list and checking it twice, it would be nice to do the same as a CISO. It’s easy to wish for better tools for fighting cyberattacks, insider threats, and all the other holiday cheer-killers out there. However, this CISO’s holiday wish list has much, much more, including focusing on approaches that will help grow the business (gasp!) and help us grow into an overall better CISO.
An Increased Budget (Duh!)
With cybercriminals evolving and getting smarter, organizations need to put the tools in place to better protect their data. Unfortunately, those resources aren’t cheap and can be a tough sell to the decision-makers of the company.
A recent study by Deloitte and the Financial Services Information Sharing and Analysis Center found that financial services, on average, spend 10% of their IT budgets on cybersecurity. This cost pales in comparison to the average cost of a cyber breach, and a budget this small is typically not adequate to reduce risk enough so that it meets the predetermined risk appetite agreed upon by the board and/or decision-makers.
So how does a CISO move the needle?
When presenting to the leadership team, here are a few points to highlight when asking for additional investment in cybersecurity:
- The cost of a security incident – According to IBM and Ponemom Institute, the average cost of a data breach globally totals around $3.86 million.
- The company’s reputation – With a cyber incident, your current clients could seek out competitors who promise better protection of their data.
- Regulatory consequences – Your company may face penalties when not complying with various IT security regulations.
Remember, when presenting the above stats, hammer home the quantitative financial numbers! Focus on the bottom-line risk in dollars and cents. Give tangible quantitative estimates of what financial setback the organization could expect in these different scenarios, and offset that against the cost of the increased budget being proposed.
As mentioned previously, part of being a CISO includes communicating with senior leadership persuasively and effectively about the necessity for an increased IT security budget. It’s easy to get too technical, so self-awareness is important as a CISO to censor the tech talk, and use practical “business speak.”
Communicating with end users is just as important as collaborating with decision-makers. It’s imperative to understand your end users – i.e. empathy/EQ. If you make this a focus, you can identify the “why” in their day-to-day, and then use that understanding to better educate them about how cybersecurity can improve their everyday work life moving forward. Understanding their role and challenges within the company will allow you to use the right messaging when attempting to engage them, and will foster the adoption of better cybersecurity practices.
There is a shortage of cybersecurity talent, and that may get worse in 2020. A 2018 report from the (ISC)², an international, nonprofit association for information security professionals, said the shortage of cybersecurity professionals is approximately 2.93 million.
To help businesses keep up with the cybersecurity shortage, it may be time to consider Security Operations Center as a Service (SOCaaS).
A SOC should be staffed with multi-tiered security analysts who monitor all aspects of an organization’s IT environment. This includes looking for threats and suspicious activity surrounding endpoints, servers, desktops, applications, internet traffic and more. A SOCaaS solution involves a third-party company operating as a SOC for its clients. This allows businesses and IT departments who lack internal cybersecurity resources to access a 24/7 SOC with deep personnel and expertise in a turnkey fashion.
Some of the benefits of a SOCaas from TechTarget are:
- Faster response times to incidents
- Less time between the crucial time when an incident occurs and when it is detected
- Lower costs and less damage associated with breaches
- Assistance with companies that must adhere to compliance guidelines such as HIPAA and FINRA
- Continuous monitoring services to contain threats
- Greater control and transparency surrounding IT security operations and procedures for a CISO
- A better customer experience (CX) for both employees and clients
- An unbiased and objective approach to security
Burnout affects the physical and mental health of many CISOs, due to the stress of the job. According to a survey from Nominet, 91 percent of CISOs say they suffer “moderate or high” levels of stress, and 60 percent “rarely” disconnect from their work role.
Even worse, a third of the CISOs surveyed feared for their jobs, as cyberattacks are an ongoing threat, and more than half don’t believe they have the budget or resources to deal with the current landscape. The burnout is so bad that the average tenure of a CISO is between 24 to 48 months, which is much shorter than a CFO, who averages around six years in the position.
Stress and potential burnout from the job can cause strains on both your professional and personal relationships. Here are a few tips on how to deal with the stress, and when to seek help:
- Recognize the signs of burnout, such as angry outbursts, poor sleep and eating habits, cynicism, etc.
- Accept the things that cannot be controlled, and have proactive plans in place to help remedy situations (a nice word for fires) that may arise.
- Continue training, as certifications and ongoing education can help with added knowledge while also enhancing self-value.
- Talk about it. Colleagues and family can offer support.
- Schedule some unplugged time off, whether that’s a vacation or even a staycation.
Reducing the Noise and Setting Achievable Goals
There is an abundance of information and tools out there that can help with your job. However, there are so many choices that it can be overwhelming. One of the ways to reduce the noise includes taking a strategic approach to streamlining and enhancing processes and tools/technologies that are already in place.
Instead of going for something shiny and new, focus on reducing technical and operational debt; that is, consider improving upon the tools that you are already using (crazy, I know). Continue to tune, measure, and audit tools and processes to ensure they are operating optimally, and are achieving a high level of effectiveness for your organization. Only once you have done that, should you re-assess if additions are necessary.
Another way to reduce the noise is to set corporately oriented goals for your division in 2020. Make sure they are realistic and attainable and make sure you can demonstrate how they contribute to the business goals of the organization. Within your design and pursuit of those goals, prioritize and focus on what can be accomplished under your purview, rather than stressing about the things that are out of reach or that can’t be controlled.
As we all know, a CISO’s work is never done, but I encourage whoever is reading this, that is responsible for their organization’s information security, to take time this holiday season to reflect, unwind, and even congratulate yourself on the hard work you’ve put in this year; appreciate the countless things you do behind the scenes, and the tireless effort you put in to keep your organization safe! Happy holidays, and here’s to a fantastic 2020!
If you ever have any questions or need assistance with your cybersecurity solutions, contact our experts at Stratosphere Networks at 877-599-3999 or firstname.lastname@example.org.