Having spent the last 12 years as a CISO in multiple roles, I sometimes think I have seen everything that could stop my security program from being successful. Then along comes yet another squirrel to prove me wrong. I could use a more colorful adjective, but I think we all can grasp the picture of a squirrel that is annoying and distracts you with its constant chatter and antics. Cybersecurity as a profession is unique because when you think about it, the CISO and their team are protecting a business from itself. Of course, you also have the fact that companies don’t like to admit they need protection.
No Budget for FTEs
With this in mind, I want to talk about challenges CISOs face that make the job stressful and demanding. Let’s face it: Those of us who serve in the CISO role and deal with its challenges are here because we believe what we do in our job matters and we love helping people. However, at times the job does suck. Now that I have everyone in a positive mood, let’s discuss some problems that CISOs face and how they can overcome them. Please keep in mind this isn’t a complete list.
Legacy Networks That Can’t Be Touched
This is one of the more difficult issues CISOs must manage because the culture tends to push back and make it extremely hard for CISOs to make required changes. The best way to handle this is through visibility. Get employees to meet the security team members and assist with projects. Regularly brief peers, executive staff, and board members on initiatives and discuss how they are supporting the business and enhancing revenue. Correcting this problem is not easy. It takes time, and you will need to reach out to peers for help.
CISOs tend to run into this issue when an organization has a resource or headcount constraint. The management of headcount is one method CFOs utilize to control profit and loss and, unfortunately, security programs require team members unless you outsource. If you are dealing with this issue, see if there is a way to cross-train people from other teams or departments. Personally, I have used IT and Dev team members who wanted to come to the dark side (and HR was happy because it didn’t involve any new hires). To accomplish this, you will need to meet your peers and get some of them to champion your requirements.
Critical Partners with Unknown Risks
I have experienced this several times, and what typically drives this type of challenge is the legacy asset is a critical business requirement for the company. From the CISO perspective, we see risk, we see a doorway into the company and we see non-compliance to a critical business certification or regulation.
Compliance, what compliance?
As a CISO, your best bet is to lay out the risks and then lay out several alternatives to address them before your company’s leadership team and let them pick the way forward. The point to remember here is this risk is not yours, so don’t let it eat you up with stress. It belongs to the business due to decisions the company has made in the past. Your job is to make the risks and remediation alternatives visible so an informed decision can be made.
I think many of us CISOs run into this one when our networks are connected to partners, and we both are trusting that we have our security issues adequately managed. For this issue, I recommend using a scorecard tool that can provide a risk score using publicly available information. Then, with the resultant report, contact your fellow CISO in your partner company and see if you can work together to remediate any findings. Maybe they are unaware of some of the information their company is leaking onto the internet, which puts both of your organizations at risk. So talk and see how you can help each other.
Adverse to Change
The challenges CISOs face with compliance have literally filled volumes in cybersecurity books. The issue I want to touch on and one I know many CISOs are concerned about is the business pays lip service to compliance but in reality, they ignore it, and it has low priority. I have seen this in the past where the company initially is excited to get certified, and multiple departments are involved. Over a set period, a lot of effort and resources are expended on the compliance effort, and the company gets certified. After certification, everything goes quiet, and there are now no resources available to keep compliant. I have had peers complain that leadership didn’t understand that compliance frameworks like ISO, PCI, HIPAA, or NIST require maintenance after the fact. I have had friends say their bosses were incensed that they weren’t done, that there needed to be a line item in the budget to maintain compliance. How to deal with this issue is for you as the CISO to make it clear upfront that getting complaint with a specific certification due to the industry the company operates in or the sensitive data the business uses will require a continuous effort. When I speak to boards and leadership teams, I equate it to having a child, now that the baby is born we are responsible for it and need to raise it and take care of it — welcome to the world of compliance.
Now comes the challenge that I know many of us CISOs have had to manage. A boss that doesn’t understand cyber and yells at you to fix random stuff or one who doesn’t care about cybersecurity because you are just a checkbox for them for when the next audit is held in a couple of months. Working on this type of challenge takes time because you have to make it worth their while to care about yourself and your security program. I have seen this multiple times with peers and myself; basically, the boss is worried about the larger picture or because of culture or politics, security doesn’t have much sway. You as the CISO are an orphaned manager. As I stated previously to attempt to fix this issue, you need to get them to see your value. How I have done this is go out in the departments and business units in my organization and meet my peers. Then having established those relationships see where we could partner on initiatives or projects and start building up my credibility. Does this mean I am going around my boss? No, it doesn’t, you should let them know what you are doing. You are doing it for the program and ultimately for them. One last note: be patient this takes time, and it pays off because when your efforts pick up momentum those relationships with your peers develop into champions for your security program. Believe me with these champions your boss will start paying attention.
Stay in your box
One of the hardest challenges you will face as a CISO is the business wants you to implement a security program but don’t rock the boat, don’t change anything. I have seen this issue so many times as a CISO that I am no longer surprised by it anymore. I expect every company gives some push back concerning their security and risk management programs. How you manage this issue is you need to get out and meet your peers in the business units, so they know who you are. You need to be visible in the company, so the security team isn’t unknown, but everyone knows who you are and how to get in touch with you for help. Finally, you need to approach your initiatives with the mantra the “small is good, small is no impact, small is happiness.” Break your projects and initiatives into small components and then brief them individually and focus on them one at a time. It takes longer, but it reduces the impact. Plus there will be more visibility and acceptance for what you are doing, and you still get things done.
Unrealistic Goals for the Security Program
This challenge is all about the history and previous CISOs that have been and gone before you. This issue is usually seen when the security program has lost trust, and no one believes the CISO or team members. I have been in situations where my professionalism was questioned because of something a previous CISO from four years before me had done. This type of toxic waste is tough to clean up because you are dealing with past actions that don’t even apply to you. It’s almost like shadow boxing, as the CISO you expend a large amount of effort and resources chasing shadows and trying to repair the damage done before you. What makes it worse is you have to do it, you can’t leave these issues around and let them fester and make things worse. You have to clean them out by making them visible and getting everyone together to talk. Once it’s discussed, you need to have a plan to lay on the table to start building trust and demonstrate how things will be different and how you will support the business and your peers (champions) in the other departments. Understand this can take time, and it can be extremely rough, I have known departments to hold grudges against the security team, and I had to use executive leadership to step in to fix issues just remember to stay patient, stay professional, and don’t forget as the CISO you are there to serve.
I have never really understood how businesses think this one works. Cybersecurity as I have said many times is like water, it is risk-based and flows throughout an organization. By its very nature, it is a discipline that is intertwined with technology, people, processes, policies, data, and risk. Because of this insight, I think it’s understandable that if you want to be secure, then cybersecurity can’t be in the backroom of some building but needs to be active and visible. It needs to be involved in other department’s projects, workflows, and initiatives. Unfortunately, I have seen time and again where organizations still look at cybersecurity as part of the IT department; and it is tucked away somewhere, so it never sees the light of day. Of course, as a CISO this is like a slow death because it severely limits your ability actually to serve your stakeholders and protect the business. How you approach this challenge is with a walkabout, you need to visit and meet with your stakeholders and peers. Get involved in helping them, and through that service, you will grow your security program's footprint.
Dead CISO Walking
I hear many of you groaning as you read this last challenge. This issue is something all CISOs face, whether it’s in the form of an organization that doesn’t understand how to use its security program or executives who believe the CISO is their hacker superman who will solve all of their years of technical debt and vendor risk exposure problems.
Now, I don’t mind being a hacker superman, but realistically, if you as the CISO can’t get the goals for your security program to reflect the maturity level of the organization, you will never be effective. I propose your goals be based on an industry-standard framework and use the framework for developing a strategic plan. Employ a framework like CIS 20, NIST or ISO 27001 to assess and establish a risk baseline. In the process, you should develop a list of immature security controls and initiatives that I would recommend having vetted and prioritized by your stakeholders. Then use this list to develop a multi-year strategic plan and base your goals on this so they are measurable and you can demonstrate the value of your security program by reducing risk.
My final challenge is when a CISO accepts a job and then realizes they have no team, no staff, and zero budget. They are just a checkbox. Now you would think in the hiring process you would catch that something doesn’t seem right with the position, but then I have peers who accepted a fantastic job, and within six months their whole team was outsourced. Then soon afterward as they sit in their office, they realize they are just here to manage an MSSP, write policy, and occasionally talk to an auditor. This issue is hard to fix, many organizations don’t want a full cybersecurity team instead they give the risk to someone else, and in essence, they want a babysitter with a CISO title. Now, this doesn’t mean everyone who is in this situation has it this bad. Many CISOs with their teams outsourced start working with governance (CRO) to help with risk and compliance or with product/software development to help with application security. So there are ways if you are in this situation you can make this work. It’s just your traditional role as CISO will be different because you need to adapt to your company’s business requirements.
These challenges are some of the issues today’s CISOs and security teams face as the business matures and adapts to cybersecurity being a business requirement. As I mentioned earlier, this is not a full list and definitely isn’t a one-size-fits-all approach for every CISO. These challenges are based on my experiences and those of peers and CISOs I have mentored who are actively fighting the good fight in trying to protect their companies.
What I ask is that after you have read this that you find the CISO or security leader in your organization and thank them and their team for the hard work they are doing. It can be a thankless, never-ending job, and the stress is relentless at times. But we continue to serve because for many of us, it’s not a job — it’s a calling.