Top 5 Security Truths Every CIO Should Know - Part 1
By Candy Alexander, CISSP, CISM, NeuEon Cyber Risk Leadership Practice Lead & CISO
Anyone peeking into the mind of a CIO will see it swirling with challenging questions. A tornado of limited resources, balancing security and technology, and feeling alone in it all—obstructing the path to security success. What’s worse is that the toughest challenges aren’t even related to technology—where CIOs have a lifetime of experience.
To help CIOs calm the storm and navigate through the journey of security, NeuEon’s Cyber Risk Leadership Practice Lead, Candy Alexander, weighs in on the Top 5 Security Truths Every CIO Should Know in this three-part blog series, including actionable Do’s and Don’ts.
Security spend is rising, compliance mandates are multiplying, yet the prevalence of CISOs in the mid-market c-suite isn’t keeping pace. According to IDG’s 2019 Security Priorities study, while 88% of enterprise-class organizations have a top security executive, only 51% of small- to medium-sized businesses (SMBs) do. That gap leaves many CIOs playing a dual role, filling in the blank of the CISO’s security direction. Even in organizations with CISOs, the role often reports to the CIO, placing security oversight squarely in their camp.
Responsibility, it seems, is overflowing for mid-market CIOs. But, the questions that go along with the laundry-list of to-dos might have answers CIOs wouldn’t expect.
Let’s look at the top five “truths” from an unconventional perspective:
1. Security Isn’t Your Fault
Will I be blamed if something goes wrong?
Ask anyone within an organization where the security responsibility falls and you’re likely to receive the same response—IT. While yes, IT identifies areas for security improvements along with the use of technology, the answer is fundamentally flawed. CIOs need to know that while viewed as a “technology problem,” security is a business problem relating to information or data and data use.
One of the biggest challenges is with the “appropriate level of investment” for protecting the data, and therefore the business. Generally, the business determines the level of investment through budgets, staffing, and prioritization of goals. Then those goals dictate investment decisions. Using a simple example, if a business has a goal to make more widgets, then the investment would be to purchase materials to build the widgets. This same approach should be used for security investments.
Now, let’s frame this using phishing, one of the biggest threats to hit any organization. If a campaign is successful, remember, it’s not your fault. Being the victim of an attack is almost guaranteed these days. However, how your organization prepared for the attack is the key. Was there enough budget to purchase the necessary technologies? Was staff trained on cybersecurity best practices? Oftentimes the answers are “no” based on priorities set by the business’ understanding of the risk and its potential impact to the business. If a CIO recommends technologies that would reduce the impact of the phishing threat, but the business invests elsewhere, the onus is on the business.
The bottom line is that businesses must decide what level of risk is acceptable. If the top priority is to increase revenue, it’s likely that the business will limit security spend to an amount that provides “good enough” protection. To help CIOs and businesses arrive at their own version of this destination, try the following:
- Do change the conversation from a technology discussion to a business discussion. Work with organization leaders to determine what is important to business operations, the risk scenarios, and the amount of risk the business is willing to accept. Then, allow the decision to drive security decisions/investments.
- Don’t keep security focused on the IT department, but rather incorporate all departments. A good approach to kickstarting this initiative is to challenge the business to think about the sensitive information they are using. Have them consider how they protect it and what would happen if they lost access to the information.
2. Finding and Getting the Right Resources: Staffing & Budget
Having the right tools makes all the difference in getting the job done. In this case, we are talking about the resources of staff and budget. An area where there is a clear distinction between right and wrong.
All CIOs have access to resources, but do you have the “right” ones for you and your organization?
Staffing the Right Security People
What if I don’t have enough skilled resources?
Let’s face it, a good IT person is difficult to find. Layer in a skilled security background, and the pool narrows. The annual (ISC)² Cybersecurity Workforce Study concluded that globally, nearly three million security positions are open because of the skilled cybersecurity workforce shortage. Success in the face of this shortage is a global challenge.
For CIOs wanting to strengthen their staff’s security skills and teams, follow these guidelines:
- Don’t post an entry-level job that requires five years of experience. Better yet, be realistic as to what you would like the role to do. Don’t define the role as being responsible for security awareness and threat hunting–those are two separate skills sets at opposite ends of the spectrum. Understand what skills are needed to complement your existing team. After posting, if you aren’t getting applicants, or the applicants aren’t what you imagined, you probably need to adjust the job post.
- Do grow your talent organically. Especially if you can’t afford a seasoned professional, or what you’re seeking is a unicorn that doesn’t exist (yet). In fact, cybersecurity talent wants companies to do this. According to the annual ISSA/ESG research study on the “Life and Times of the Cybersecurity Professional,” security professionals are looking for a company that is willing to provide them training or the ability to learn from senior staff.
- Don’t forget that you get what you pay for. Be prepared to invest in hiring the right And that compensation is important, but there are other factors as well, such as training/learning opportunities, and others as identified in the ISSA/ESG research study.
- Do make your security teams feel valued so that they don’t leave for one of the three million open security positions.
Identifying the Right Budget
What is an adequate budget for security?
Having an infinite budget means you can make anything happen. When does that happen? Never. Budgeting requires CIOs to define the exact amount to dedicate to securing the organization. When under the pressures of the budget planning cycle, it can be easiest to refer to the previous year and use a small percentage of the overall IT budget for security. CIOs should resist this urge. Instead, use these guidelines based on the classic business justification process:
- Do align the security budget with your organization’s strategic business goals or initiatives–understanding the potential security risks and what resources will be necessary to protect/mitigate the risks. And, don’t forget the “business as usual” activities such as active monitoring/responding.
- Don’t decide the budget based on a percentage of the IT spend. Do a bottom-up analysis for tech, staff, training, and in some cases, managed services.
Up Next, Engaging Service and Solutions Providers You Trust
We’ve only covered the first two “need to knows.” Part 2 of this blog series will cover how to engage service and solution providers you trust.
Don’t want to wait? Contact us today to learn more.