Most InfoSec executives work hard to achieve their career status. They have years, perhaps decades of experience in cybersecurity, and they put effort into developing security strategies that keep their organizations safe. Few professionals on the level of Chief Security Officer or Chief Information Security Officer are willingly ignorant or intentionally negligent — and yet, many CSOs and CISOs do make disastrous mistakes.
Aside from mistakes in strategy that can result in various vulnerabilities, CISOs tend to make one of three major mistakes in their behavior as the leading security professional in their organization:
Lacking Business Knowledge
CSOs and CISOs need technical security knowledge and skill to lead their security teams effectively. They need to be able to understand their organization’s existing digital systems as well as its digital goals to develop a strong security strategy to mitigate risk and thwart attack. Not just any business leader can function as a chief officer in the cybersecurity field because these hard skills are essential to success.
However, where many CISOs fall short is their overdependence on their technical skill to the atrophy of other critical areas of knowledge. To thrive in the highest level of business leadership — the c-suite — a CISO or CSO must recognize that security is a balance of technology, processes, and people; the greater a CISO’s understanding of business structure and behavior, the more adept they will be at developing security strategies that stick.
Perhaps the most valuable business knowledge for a CISO to gain and maintain is how the organization generates value for its stakeholders. CISOs should engage in conversations with different types of stakeholders, from customers and low-level employees to executives and investors, to better understand the most valuable digital components in the organization and how they are utilized. As a CISO appreciates what matters most to the business, they can develop more effective security strategies that account for employee behavior. They can ensure response plans that get core processes up and running with greater speed.
Ignoring Emerging Threats
A significant portion of cyberattacks takes recognizable forms: phishing emails, ransomware, and malicious insiders. CSOs and CISOs are familiar with these types of threats, which have been present for decades. The bulk of their security strategy revolves around identifying and preventing such established types of attack. However, the threat landscape is not set in stone. In fact, radical improvements in information security have compelled cybercriminals to develop new, frightening methods of attack that circumvent the effective cyber-defenses that CISOs and their teams have put in place.
Unfortunately, many CISOs are not invested in understanding the evolving threat landscape, and emerging threats are not adequately prepared for in their cybersecurity strategy. As a result, organizations succumb to cyberattacks, suffering data breaches with high financial and reputational costs.
CSOs and CISOs need to develop a sense of curiosity that compels them to invest time and energy into researching the latest digital threats. Subscribing to cybersecurity blogs and engaging with other InfoSec media, like podcasts and books, can help security executives at all levels keep their knowledge of emerging threats up to date. Additionally, CISOs and CSOs should consider what their most valuable data is, what protections are in place and how attackers might be able to exploit vulnerabilities. Committing to innovative solutions could keep an organization’s security one step ahead of cybercriminals.
Misunderstanding Successes and Failures
CISOs are responsible for keeping an organization safe, which often involves completing a series of major technical projects, like network access control, governance risk compliance platforms, identity management and more. These projects can be simple and straightforward — but only if security executives are realistic about the requirements and capabilities of those projects.
Before a CISO or CSO launches any project, it is important for them to develop clarity regarding the success factors of the project. This might include understanding the scope of the project and identifying the underlying systems and tools required for the project to function as anticipated. Security executives should speak candidly with their teams and with any teams affected by any new technology or project implementation to set reasonable expectations for effects. Then, projects will be less prone to failure, including the appearance of failure.
A CISO might have the most cybersecurity experience in the industry. Still if they continue to make the mistakes listed above, the organizations they work for will suffer cyberattack after cyberattack. Investing in business knowledge, paying attention to emerging threats, and developing a realistic view of project success are key to functioning as an effective CISO.