The Top CISO Stories From Around the Web: June
The best stories this June were all about navigating the CISO role. We have a story looking to the future as well as one looking to the past. There is a story about how a CISO on the board, though it is not yet universal, may still not be enough to tackle board level security decisions. Another story is about how communication is involved in helping CISOs operate effectively. The last one on our list is about navigating expanding cybersecurity regulations. This list is great for an update on what CISOs and other cybersecurity professionals are focusing on.
1. A FinTech CISO’s view on challenges and opportunities in InfoSec for 2024
Source: Intelligent CISO
David Scholefield is the Chief Information Security Officer at Demica. In this story, he examines the InfoSec landscape for the second half of 2024. He argues that a CISOs potential and power lie in their ability to act as an individual with confidence and creativity and their ability to tap into their interpersonal relationships within the organization.
Cybersecurity challenges come from many sources beyond just cybercrime including legislative changes and pressure from customers and stakeholders. The value of the organization needs to be protected while simultaneously keeping up with changing technologies and opportunities. Some of Scholefield’s main points are that InfoSec is a team sport, new technology is coming, compliance should be seen and used for its genuine value, and CISOs will need to report to the board more often and in more detail. Regarding the team sport aspect, he argues that CISOs can't lean too much on awareness training and rather than that, they need to do an in-depth analysis of what can happen and devise controls to protect against these threats. He also believes that it's crucial to talk with all people involved in the organization to make them, in a way, an extended part of your team. The new technology Scholefield focuses on is AI. He stresses how CISOs can manage the risks and utilize AI’s capabilities at the same time. Scholefield compares compliance to following the advice of hundreds of experts. It is most beneficial to implement it with gusto and sincerity. CISOs and the board are experiencing a potential shift in their relationship where CISOs are joining the board instead of reporting to them. This is because InfoSec is becoming more strategically significant adding to CISOs’ past, more technical role. Scholefield’s positive attitude towards people in the organization, his fair judgments about AI, his appreciation for compliance, and his understanding of how the CISO’s role will change make this story very interesting and a great read.
2. One CISO Can’t Fill Your Board’s Cybersecurity Gaps
Source: Sloan Review
Boards struggle with handling cybersecurity decisions because they don’t understand it in depth. It affects them by hindering their ability to intuitively understand cyber-related situations. This is challenging and important to fix because the threats are evolving constantly and expectations for governance and compliance are abounding. Manuel Hepfer, who wrote this story, brings in some numerical information and research about how the board is generally unprepared in this sense. One solution that is quickly becoming a trend is adding a CISO to the board. Manuel Hepfer finds this effort misguided for two reasons: it isolates the CISO as a sole point of reference for cybersecurity decisions which is not how the board is built to work. It is supposed to be a collaborative effort between all members of the board. This often leads to better results because each board member can contribute their unique perspective. Additionally, the CISO also often lacks the foundational knowledge regarding strategic planning, financial expertise, geopolitical factors, environmental issues, and fiduciary duties. These are subjects that most board members are closely familiar with. This imbalance of proficiency is an issue that Manuel Hepfer hopes to explore. The four ways he looks at are all related to increasing the board’s understanding of cybersecurity. One way is for board members to have quality alone time to discuss cybersecurity with the CISO. Another way to learn more is through educational courses. The third idea is to have regular meetings or learning forums where all board members can attend and learn from the IT and cybersecurity teams. The last idea proposed is a bespoke board session held on the back of a quarterly board meeting.
3. Six months in: How is the threat landscape evolving in 2024?
Source: Intelligent CISO
In this story, Darren Thomson, Field CTO EMEAI at Commvault, analyzes the first half of this year. He states that the large number of tools used to collect data can overwhelm an organization’s SOC and security analysts hindering performance and especially detection. He focuses on six big trends in cybersecurity: cloud, remote working, IoT, software supply chains, AI, and social networking. He writes about how it's important to look at the big picture and have perspective regarding cybersecurity performance and suggests that looking at these trends closely can help. He examines the threats posed by these trends and then discusses the four Rs: risk, readiness, recovery, and resilience. He recommends looking at the main issues set out by the cyber insurance industry for clues as to what to focus on when assessing cybersecurity risk. Insurers see a lot of credential theft, failure to patch systems properly or completely commit to creating and testing cyber-recovery plans.
4. How CISOs can improve organizational communication
Source: Security Info Watch
Communicating risks to the organization is crucial for maintaining security and compliance. Communication strategies are important tools for advisors like CISOs who use them to reach out to as many people throughout the organization as they can. This way their chances of being understood and cooperated with are maximized. Kayla Williams provides some insights (mostly drawing from Devo’s research) into communication for CISOs. By maintaining a language that is not too technical CISOs can articulate risks effectively and avoid confusion. Additionally, CISOs can improve their effectiveness and persuasiveness by considering the reporting structure. This means tailoring their reports to focus on the impacts that will be most important to whom they are reporting to. It's also helpful for CISOs to understand how each business unit interacts with security tools and policies. To protect the most valuable assets to each department, the CISO can inquire about the department’s overarching goals. This way the interactions that each department has with security tools is truly fit for their functions. Through communication, CISOs can act as and be recognized as protectors rather than police.
5. CISO Strategies For Navigating Expanding Cybersecurity Regulations
Source: Forbes
The Securities and Exchange Commission (SEC) Cyber Disclosure Rules were enacted to improve how honestly, openly, and frequently public companies report on material cybersecurity incidents. Before this, when such incidents were detected/suspected, cybersecurity teams were not required to and therefore less likely to report them. With these rules in place, it is easier for investors to make informed decisions, confident that their knowledge of the company’s security is not missing anything important. If a public company fails to comply they can be investigated and face penalties. Frequent security posture checks, robust risk management and strategic planning, and strong governance practices are recommended. Integrating people, processes, and technology is also stressed as well as seeking legal advice. The overall goal is transparent communication which can be a way to promote accountability and responsibility.
[We created a helpful SEC reporting checklist, download it today]
