Chief information security officers (CISOs) will need to play a more proactive role within organisations’ board agenda post-pandemic, according to cyber experts.
While CISOs have often been perceived as “blockers”, the increased level of digital and physical exposure of the post-pandemic environment will turn them into key figures within a company, tasked with enabling the business to operate whilst maintaining its security, says Del Heppenstall, partner in cyber security in national markets department at KPMG.
Helen Patton, advisory CISO at CISCO says, “too many boards and C suites [still] think of cybersecurity as a technology only problem”.
Current barriers to an increased executive level of engagement include lack of resource organisations spend on security and poor communication between boards and security teams, which contribute to the board’s lack of understanding on the true security risk, she adds.
As such, Heppenstall says CISOs will need to transition from a technical profile to a broader business operator profile, which will also help them communicate effectively to the board. “In order to get cyber security onto the board agenda and get it understood properly, you need to […] be able to talk their language while understanding the technical [aspect].”
The changes in company structure due to the rise in remote and hybrid working have modified the organisation’s ecosystem. As such, security teams will also need to be retrained and upskilled to be able to adapt to the new landscape, says Patton.
With employees working remotely, this has added a “complicating factor” for security teams in how they can respond to potential breaches, she says. “The teams right now are thinking about detection and response.”
Teams will need to consider how to gain visibility, monitor and secure an organisation’s digital corporate network without intruding on the privacy of employees own private networks, she adds.
To help simplify this task, organisations should evaluate some of their business processes that may pose physical security risks, says Patton. “It’s not so much the technology controls [that] need to change, but the business processes.”
High turnover rates and under-investment key hurdles to overcome
Heppenstall says “organisations need to take [cyber security] seriously and invest wisely […] in the people and technology”.
Patton adds, “there are a lot of organisations that are under investing in cyber security. Anything leadership can do, to be as efficient and effective as possible, [while] making sure that at least the foundational basics of security are well funded, is really important”.
A widely known problem in the security industry is the high turnover rate of CISOs. In fact, 24 percent of Fortune 500 CISOs have been in their current position for an average of a year compared to 10 percent of CISOs who have been in their current position for an average of 5 years, according to research by Cybersecurity Ventures.
With the pressure of Covid and the risk of burnout increasing, organisations will need to demonstrate the value in their cyber security teams, says Patton.
“If [security teams] feel like the work they do is valued, they experience a lot less burnout than security people who feel like the work they do is not valued,” she says. “One of the metrics boards should be looking at is what is the turnover rate of their security team?”
Setting a clear structure and allocating more resources to the department will translate to a higher retention rate, she adds.