The role of the Chief Information Security Officer has never been easy. It has to bridge both the highly technical and strategic realms and fulfil two complex mandates.
The first is the technical understanding to maintain oversight of the information estate and spearhead security projects. The second is interpreting and translating risks into a strategy that the board and the management team will understand. The role is now increasingly under pressure, leading to high burnout rates.
A recent survey found that 94% of CISOs are stressed but regard this as part of working in cybersecurity. The ‘State of the CISO 2023-24’ report reveals that job satisfaction is at an all-time low. 75% are considering a career change. There are many reasons given for that dissatisfaction. Two of these are the economic downturn, compelling CISOs to do more with less, and increased legal exposure.
There is hope on the horizon as financial pressures ease. Cyber threat levels continue to increase due to geopolitical unrest, the emergence of AI and the commoditisation of malware. In parallel, regulations that stipulate CISO accountability are only tightening.
Being held to account
In mid-2023, the Securities and Exchange Commission (SEC) in the US introduced much more stringent disclosure requirements under Form 8-K. Item 106 states that this should include ‘the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats’.
The SEC then proceeded to exercise those rights by issuing a Wells Notice to SolarWinds executives to the CISO in relation to the SUNBURST attack in a civil suit.
This year, the revised Network and Information Security (NIS2) regulations will come into effect in October across Europe. NIS2 also outlines the personal responsibility of senior management personnel regarding incident reporting. Those in breach potentially face personal fines, discharge, or an outright ban from executive positions.
NIS2 will also apply to those who trade with organisations in the EU. It is also expected to be adopted in the UK, albeit somewhat watered down under the Cyber Security and Resilience Bill put forward in July.
Another challenge that shows no sign of abating is the lack of cybersecurity personnel. The ISC2 Cybersecurity Workforce Study 2023 reveals that the skills gap is almost equal to the number employed in the sector (4m versus 5.5m, respectively). That gap is increasing at its fastest rate in the UK, growing at 30% year-on-year.
Gartner predicts over half of significant cyber incidents will be caused by a lack of talent or human failure by 2025. CISOs will not just have to deal with a depleted workforce but one in which risks will have risen significantly.
Unprecedented threat levels
The threat spectrum itself is also rapidly evolving. Organised criminal gangs (OCGs) have created Ransomware-as-a-Service marketplaces, lowering the bar to entry. Meanwhile, Generative AI is expected to automate the creation and exploitation of attacks. As a result, 75% of those questioned in the ISC2 survey said the current threat landscape is the worst it’s been in the past five years.
Moreover, adversaries are becoming more sophisticated, leveraging legitimate processes and tools to execute attacks. This approach makes them more difficult to detect and increases their chances of success. As a result, OCGs increasingly mirror Advanced Persistent Threats (APTs).
Such threats increase the pressure on the CISO. With budgets eroded, they are expected to do more with less against ever more sophisticated assaults. The ISC2 report found that 53% have delayed purchasing or implementing new technology, and 24% have not renewed cyber software licenses.
We can expect the role of the CISO to change as a result. The role usually attracts those with either technical or corporate backgrounds. In the last decade, more CISOs have originated from the latter to help bring the position to the executive ranks. However, we are now seeing the pendulum swing back towards the technical. The goal is to equip the CISO with a deeper understanding of threats and technical solutions.
Taking back control
CISOs are focused on understanding the real market challenges of greater control and accountability. That means improving threat detection and incident response (TDIR) and understanding its implications for business risk.
Security Incident and Event Management (SIEM) is pivotal in regards to TDIR and can be combined with other capabilities to improve defences further. Automation and case management can keep on top of emerging threats to automatically investigate, organise and respond to certain threats. It also alleviates staff workloads and provides the tools to threat hunt. In addition, behaviour analytics can apply parameters that determine acceptable behaviours and flag those that warrant investigation.
Using the SIEM as the mainstay of TDIR provides the CISO with a single pane of glass. It reduces complexity and speeds up the time to response. Moreover, as these systems can collect and analyse data to demonstrate compliance, they can also assist with the reporting element of the CISO’s role.
Where do we go?
What’s needed now is better coupling with business risk. That means fusing reactive roles like security monitoring, threat detection and incident management with proactive ones like risk management, vulnerability management, identity and access security, etc.
In addition, AI poses a significant opportunity. It can help facilitate communication about an incident, the actions taken to respond and its impact on the business to relevant stakeholders, including top management, the board, government entities, and communication professionals.
We will see increased regulatory pressure and an evolving threat spectrum in the future. These will make the business much more susceptible to reputational damage, financial losses, and legal consequences. It will make the CISO indispensable and only serves to heighten the value of their contribution to the board. But in the meantime, those in the role face challenging times as they seek to balance demands and maximise their defence capabilities.
Logpoint helps organisations and partners protect against cyber attacks and streamline security operations by combining sophisticated technology and a profound understanding of customer challenges. Logpoint’s threat detection, investigation and response solution based on converged SIEM, UEBA, and SOAR technologies empower European organisations to achieve security outcomes across any premise through high-quality data, continuously updated security content, flexible deployment options, and industry-best predictable licensing. Headquartered in Copenhagen, Denmark, Logpoint has a European foundation and is the only European SIEM vendor with a Common Criteria EAL3+ certification, demonstrating its strengthened focus on data protection and adherence to data and cybersecurity regulations. For more information, visit http://www.logpoint.com.