By helping CISOs navigate the expectations being placed on their shoulders, CEOs can greatly benefit their companies.
March 4, 2024
COMMENTARY
It seems obvious: CEOs and their chief information security officers (CISOs) should be natural partners. With the persistent rise in cyber threats, most CEOs recognize the importance of having a strong security leader to protect the company's data, not to mention its reputation.
And yet, according to a PwC report, only 30% of CISOs feel they receive sufficient support from their CEO.
As if defending their organizations from bad actors despite budget constraints and chronic cybersecurity talent shortages wasn't already difficult enough, two 2023 cases — fraud charges against SolarWinds and its CISO and the sentencing of Uber's former CISO — have thrown security chiefs into the perilous position of potentially facing criminal charges and regulatory wrath if they make a mistake.
Small wonder that Gartner predicts nearly half of cybersecurity leaders will change jobs by 2025 due to multiple work-related stressors. "Cybersecurity professionals are facing unsustainable levels of stress," the analyst firm's Deepti Gopal has said.
It is in no organization's interest to experience high turnover in the CISO role and absolutely serves them well to have successful, stable CISOs. Supportive partnerships between CEOs and cybersecurity chiefs are crucial. Here are four things CEOs can do to help:
Today, the vast majority of CISOs report to the CIO rather than the CEO, according to executive search and management consulting firm Hedrick and Struggles (PDF). Whatever the formal reporting relationship is in a given organization — CISO to CIO or directly to the CEO — the most important thing is that the security chief and company chief are in lockstep on cyber strategy and execution.
A 2023 Forrester report said this direct line can have five benefits for CISOs, including strong control over and management responsibility for the cybersecurity program, funding for security initiatives, and increased awareness of cybersecurity responsibilities company wide.
With cybersecurity now so vital, and in light of the uniquely huge pressures on the CISO, this is a good time for CEOs to examine how they're communicating and collaborating with their CISOs.
How does a supportive CEO act? They empower the CISO to lead and execute the cybersecurity mission, they provide resources, and they're empathetic about how hard the job has become.
The importance of empathy can't be understated. Remember, in the wake of the SolarWinds and Uber cases, CISOs are now personally obligated to report material cybersecurity information accurately or they could face legal action. CEOs should deeply appreciate these hard truths and always approve the CISO's efforts toward full transparency.
When the CISO makes a good case for resources, the CEO must be honest about the severe risks that come with saying no. This kind of CEO is aligned with the CISO in never settling for "secure enough" but backing the security leader in opportunities for improvement.
While cybersecurity for the past 20 or 30 years was defined by prevention, it has become clear that the discussion needs to be reframed around resilience. Data has grown and diversified at a dizzying clip, to the point that most organizations struggle to even identify all the data they have and what's critical and what isn't. The Rubrik Zero Labs report found that, in 2022, data increased more than 25% in a typical organization, with data from software-as-a-service (SaaS) applications exploding at an astounding 236%.
This means that while organizations still need prevention strategies, they also are wise to acknowledge that attacks are inevitable and shift to a more achievable goal: protecting the most critical data (like confidential customer information and core company financial data and intellectual property), limiting the impact of attacks, working quickly to rectify them, and keeping the business running.
Key to building this resilient future are CEOs and CISOs who are in lockstep on why it makes sense and are collaborating closely to achieve it.
The rise of generative AI and GenAI usefulness for attackers and defenders alike has received a lot of attention. AI is enabling cybercriminals to generate more code to attack organizations and, in turn, is becoming a necessary tool to assist security teams in understanding what's going on. CISOs need to be on top of both sides of this equation, but there also is another dynamic in play that CEOs can help arbitrate.
For many on the business side in a company, AI is a shiny new thing that presents opportunities to, say, offer customers new product features. But cybersecurity teams must take a close look at the use of GenAI in product development or customer support functions if they feel it is pushing the security risk envelope.
In any situations where this natural tension creates disputes that end up in front of the CEO, the CEO can support the CISO and the company's cyber mission by carefully weighing potential security exposures rather than defaulting to a "move fast and break things" mentality that prioritizes speed over security.
As these four suggestions show, CEOs have the power to help CISOs navigate the enormous expectations being placed on their shoulders. CEOs who exercise those powers aren't just doing the right thing for their CISOs, they're greatly benefiting their companies.
Michael Mestrovich
CISO, Rubrik
Michael Mestrovich is chief information security officer at zero-trust data security company Rubrik and former acting CISO at the Central Intelligence Agency and Principal Deputy CIO at the Department of State.
You May Also Like
Assessing Your Critical Applications’ Cyber Defenses
Unleash the Power of Gen AI for Application Development, Securely
The Anatomy of a Ransomware Attack, Revealed
How To Optimize and Accelerate Cybersecurity Initiatives for Your Business
Building a Modern Endpoint Strategy for 2024 and Beyond
Cybersecurity’s Hottest New Technologies – Dark Reading March 21 Event
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Industrial Networks in the Age of Digitalization
Zero-Trust Adoption Driven by Data Protection
How Enterprises Assess Their Cyber-Risk
Forrester Total Economic Impact Study: Team Cymru Pure Signal Recon
Incident Readiness and Building Response Playbook
Gcore Radar
Understanding Today’s Threat Actors
A Solution Guide to Operational Technology Cybersecurity
Causes and Consequences of IT and OT Convergence
Understanding AI Models to Future-Proof Your AppSec Program
Cybersecurity’s Hottest New Technologies – Dark Reading March 21 Event
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Copyright © 2024 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.