Is the S in CISO starting to stand for "scapegoat"?
Managing a company's digital security is hard work. But it has become significantly harder since 2020. Rapid workplace digitisation, remote working models, the proliferation of IoT data, growing cybersecurity legislation, and demand for integrated digital environments all add tremendous pressure to CISO roles.
CISO burnout is a real problem. By some accounts, over 80% of CISOs are highly stressed, and many CISO tenures don't last beyond two years. On a personal level, being a CISO can tremendously impact their well-being, as many worry about personal litigations stemming from breaches, increased personal risk, and expanded responsibilities without the time to meet all of them.
Security's business problem
But let's cut to the chase. There is an underlying issue that has little to do with the CISO, evident in two areas: tightening security budgets and ongoing ignorance among business stakeholders. For years, Performanta and other forward-looking security providers have urged security professionals to include and empower boards and executives with cybersecurity knowledge. However, the problem might be on the other side.
CISOs are trying to reach other business leaders, yet they often fail. Why is that? Many business leaders still don't grasp the magnitude and complexity of digital security. Instead, if security fails, that means the CISO has failed.
But all this attitude accomplishes is to turn the CISO into a scapegoat. You cannot blame security failures on the CISO until you are sure your company's security programme is doing its job. The security programme does not begin and end with the CISO. They are the facilitator, but the programme belongs to the business.
This dynamic is evident in the market, where mature companies with established and supported security programmes also tend to have long-term and highly successful CISOs.
The DNA of good security
How can you ensure your security programme is up to the task?
The business must own the programme. That means the programme must speak to the business. Here, we can hold the security market to task. Too often, security companies sell products to solve problems. You have data leakage issues, so you get a Data Leakage Prevention (DLP) solution. You have endpoint security problems, so you get an Endpoint Detection & Response (EDR) solution. You want 24-7 monitoring, so you get a Security Operations Centre (SOC) solution.
But are these integrated? Are they configured? And most crucially, are they designed to prioritise your most crucial business risks? Are they even the right solution?
You can't parachute in security products and expect ongoing results if they are not aligned with business risks. Yet, if we follow the general security industry mantra and buy, buy, buy, that's what we are doing: placing solutions with little context. Spending goes up, value goes down, and your breach risks do not reduce. The CISO ends up holding the ball. Then, a security incident occurs, stress levels go through the roof, and the CISO resigns or is fired.
How to create effective security
The problem is not the CISO. It's the convenient flirtation between fixing security with a cheque and a business that doesn't own its security responsibilities. How do we fix this?
First, take a clear risk-driven approach informed by business priorities as defined by business stakeholders informed by security systems focusing on business risks.
Second, use security systems that provide ongoing visibility of all digital assets and identify security gaps especially in crucial and overlapping areas.
Third, develop a security programme that combines risk management, and security operations with automation and clear reporting to reduce response times.
Performanta has created Safe XDR to deliver on all three of these areas. We base our approach on Gartner's highly effective Continuous Threat Exposure Management (CTEM) framework. Rather than simply sell another product, we consolidate your security estate and provide the tools to empower security teams, digital managers, and business stakeholders.
Our clients' CISOs don't burn out and leave. Their employers don't turn them into scapegoats. They enjoy long tenures because they have the support of an effective security programme that organically creates total business ownership of security.
Stop turning CISOs into Chief Incident Scapegoats. They are the custodians of security, but businesses own those risks. And with the support of Safe XDR, everyone can play their part to keep their organisations cyber safe.
Commentaires