For more than a decade, executive leadership has been under pressure to take responsibility for cyber risks. Prior to this time, most IT teams typically worked to maintain the company’s operations while safeguarding it from cyber threats. However, as cyberattacks became more widespread and the related global headlines became too large to ignore, calls increased for CEOs and boards of directors to take the lead, as these attacks were too catastrophic for senior leadership to remain unaware, uninvolved, and blame-free. Then came the appointment of Chief Information Security Officers (CISOs), enabling companies worldwide to pass the responsibility for cybersecurity back to IT managers.
The CISO model was introduced around ten to fifteen years ago, with many companies appointing new blood – experienced security and compliance leaders, while mid-sized businesses just elevated senior IT staff members to the title. In either case, this accomplished a few things that made attaining the end-goal of cybersecurity even harder to attain. Firstly, it served as a buffer and was able to defer leadership on the CEO, whereas, in reality, IT is struggling daily to mitigate risks with limited staff, budget, and resources.
Secondly, most CISOs are typically focused on aligning their security programs against compulsory and recommended compliance frameworks. But these frameworks do not place enough emphasis on ensuring that the underlying security controls and technology are configured to prevent a data breach. Compliance frameworks are static, and they do not adapt in real-time to fast-changing threat actor tactics or rapidly shifting organizational threat surfaces.
Thirdly, while this model has served as a layer of culpability to shield the CEO and board in the event of a catastrophic data breach, there is still no denying the fact that the organization’s finances, reputation, and market position would be in ruins. CISOs and associated teams must focus on preventing this destruction so businesses, jobs, and industry can continue unhindered; this can only happen by focusing on the real risk – not in the written policies or regulations but in the underlying tech stack and its configuration.
It is time for CEOs, boards, and private equity firms to get educated and understand fully what is at stake. They must understand that cybersecurity is a team effort and provide the leadership and resources that CISOs and technical teams need to protect the company from cyber risks. When company operations are decimated by a catastrophic data breach, there is no greater priority.
In conclusion, CISOs and IT teams need the necessary resources, support, and budget to maintain a secure environment. Leadership needs to bring the right people to the table outside of IT and cybersecurity, work together in mitigating the risks, and bring the real-world results of failure to act to the forefront of business decisions. By prioritizing cybersecurity and working together, businesses can proceed with confidence, knowing that they have protected themselves against cyber threats.