Today’s CISOs do not have the easiest job. They are tasked with safeguarding a company’s digital, identity, and data assets, protecting customer data, maintaining trust with stakeholders, achieving and maintaining a variety of changing compliance standards and frameworks, all while being asked to consolidate budget and communicate their impact to leadership. A modern CISO’s job has never been so important, and it’s also never been so difficult. Let’s take a look at some of the biggest challenges facing CISOs today.
The Technology Landscape
Innovation continues to result in new technology that helps businesses accomplish their goals more effectively and efficiently. But new technology also means new protocols and methodologies are needed to achieve compliance and maintain security.
- Speed of Digital Transformation: As organizations rapidly digitally transform to keep up with competition and customers, they often neglect the security implications involved. Traditional GRC approaches struggle to keep pace with this speed of change, leading to incorrect configurations, issues with control governance, and critical items being overlooked.
- On-premises vs. Cloud Complexity Management: Today’s enterprises use a variety of different tools, technologies, and platforms. Each has its own purpose and brings unique benefits, but from a GRC and security point of view, this represents added risk and complexity. Many businesses will use a combination of on-premises servers, cloud platforms, and third-party SaaS tools in day-to-day operations. Traditional IT-GRC programs are generally not set up to scope controls and risks in these environments because of their complexity and continuously changing nature, which can lead to security gaps and added risks and vulnerabilities.
- Managing A Distributed Workforce: During COVID, the business world had to quickly adapt, leveraging technology to communicate and get work done from isolated locations. Now the norm, remote and hybrid work has changed security protocols, and CISOs must ensure that employees, regardless of device or location, adhere to GRC requirements. Whether all employees are in one office and on one network, or spread out globally across many locations and networks, working from home offices and coffee shops, a CISO is responsible for ensuring security policies are kept.
The Threat Landscape
As new technologies emerge, new threats follow quickly behind.
- Evolving, Dynamic Threats: The threat landscape is always changing. New vulnerabilities and threats emerge daily. The rise of ransomware attacks, AI-based attacks, the National Institute of Standards and Technology’s (NIST) National Vulnerability Database (NVD) backlog are among current factors that are forcing CISOs to think on their toes when it comes to threats and how to best protect their organization. Traditional IT-GRC programs were designed to evaluate risks manually and statically. But in today’s evolving threat landscape, threats need to be assessed continuously, and in real-time.
- Digital Supply Chain and Third-Party Risk: Modern enterprises are not isolated entities. They rely on a connected network of other vendors, service providers, and partners. Malicious attacks can, and have, leveraged this connected third-party network to gain access to networks and data. One famous example of this is Target, which had customers’ financial and personal data stolen by attackers hacking an HVAC company that was a subcontractor of Target. Incidents like this have continued to highlight the amplified risk of our connected business world. GRC approaches to evaluating vendor risk are usually done at a static point in time, often annually, which is not up to par for the modern threat landscape. CISOs need a better way to evaluate third party risk.
The Accountability Landscape
As InfoSec challenges grow, so does the burden of proof that rests on CISOs to demonstrate they’re adequately responsive to the changing landscape.
- Ever-Changing Compliance Standards: To meet today’s dynamic threat landscape head on, government and international organizations continue to roll out new mandates and standards to protect user privacy and data and ensure compliance and security. Compliance standards are different depending on the company, geography, and industry, with new frameworks being rolled out in real-time. For example, in the EU, in addition to GDPR compliance, CISOs are now being tasked with meeting the Digital Operational Resilience Act (DORA) by January of 2025.
- Increased reporting requirements: CISOs are being asked to share more, often quantitative, evidence that their programs are set up appropriately and achieving the desired goals. Some of those asks are coming from regulators, e.g. the SEC’s requirements around material cybersecurity incidents, while others are coming from CEOs and boards who are concerned by mounting breaches and scrutiny from regulators, investors, and customers.
- Precedent of personal liability: Joe Sullivan’s felony conviction and subsequent sentencing raised the stakes for CISOs, executives and board members. The threat of legal consequences for individuals has made InfoSec leaders even more determined to adhere to the most rigorous security best practices, and be able to prove it with clear documentation.
These are just a few of many challenges modern CISOs are forced to face, in addition to organizational hurdles like budget constraints, limited staff, supporting sales in security assessments and managing their own supply chains.
Adapting GRC Practices to Keep Pace With Today’s Technology & Threats
Traditional GRC processes and tools are not cut out to help CISOs be successful today; they often function like ticketing systems and require arduous manual intervention to stay up to date. The wave of automation-focused software has created its own set of problems; while they offer time savings on some manual tasks like evidence collection, they don’t offer assurance that work is being done correctly, and fail to present a clear picture of GRC program status and business impact.
So, how can CISOs evolve their GRC practices to keep pace with today’s new technology and evolving threats?
- Reevaluate Your InfoSec Goals
Many cybersecurity leaders inherit a program that reflects antiquated priorities and capabilities, and focus on “check the box” requirements. Businesses and regulatory requirements are changing all the time – make sure that leadership is aligned on key security objectives before making any changes to your tech stack or team.
- Prioritize Visibility & Assurance
CISOs need to be able to answer the question “What’s our risk profile?” any day of the week. Answering this question requires systems that give you a clear picture of requirements, controls, tests, policies, customer commitments and how they all fit together. To do this probably requires tool consolidation and a reliance on APIs and AI to ensure a consistent, up-to-date picture of the InfoSec environment. Visibility extends to the use of AI; the sources of any generated text or images should be readily available.
- Stay Accountable with Reportable Metrics
Taking visibility one step further, CISOs should define appropriate metrics to their leadership and report on them regularly, ideally more often than once a year. The process of collecting these metrics should be straightforward and repeatable, to avoid unnecessary stress and errors due to manual work.
These are a few important steps CISOs can take to adapt and modernize their GRC programs as they take on the evolving threat, tech, and accountability landscape and work to keep their organizations secure.