Chief Information Security Officers (CISOs) currently average just 18 to 24 months in any one role, according to a recent report. This flightiness isn’t down to money or ambition, however, but stress. Cybersecurity’s focus has turned to technology in recent years, with automation and machine learning dominating conversation. But what does this mean for our people and their development? Every cyberattack begins and ends with a human – from the perpetrating threat actor to the defender trying to thwart them – which is why our tech obsession is not making the CISO’s life easier. To fulfil their role CISOs first need an effective cyber workforce, and while tech can help, the current marriage between man and machine is a failing one.
CISOs are juggling endless tasks and managing numerous employees, often without knowing the scope of their company’s human cyber capability. The ‘impossible job’ is now so difficult, in fact, that 65% of CISOs are considering quitting, and nearly 17% treat stress with medication or alcohol. If the industry cannot begin to lighten this burden the churn rate will increase; and this is music to the ears of attackers, who know that instability results in negligence.
CISOs lack support
Those CISOs who swap one business for another will find there’s no respite in this game. Starting at a new organization, where you’re blind to the capabilities at your disposal, is a baptism of fire. Revolut’s CISO Dinis Cruz recently quit less than two months after he joined the bank; his predecessor left the company after a year. This kind of turnaround is happening at every organization – old and new – in every industry, with serious consequences for both our national security and the mental health of our CISOs.
When your role is difficult in any walk of life, support is vital – whether that’s having the right team around you or the best tools for the job. But it appears CISOs aren’t getting the support they need from boards, and this is often because those at the top do not understand cybersecurity and its challenges. Threat actors are innovating and breaches are daily, evidenced by the 60% of US and UK companies that have discovered malware in their systems without a clue how long it’s been there. Yet, despite this prominence, one third of CEOs claim they would fire their CISO in the case of a breach.
It’s little wonder that with such peril looming over them, nearly a quarter of CISOs feel they must be available 24/7.
People must precede tech
A cybersecurity practice must be structured: it must begin with people and processes and be supported by technology. In his article The Impossible Role of the CISO, security leader JC Gaillard said, ‘Reporting capabilities should be embedded and inform any management decision up to the board. You build those over time. It requires mid to long-term vision and leadership from the CISO […].’ The problem, however, is that most CISOs are unlikely to possess mid to long-term vision – how can they when they don’t expect to be in one place more than a year or two? And even if they do have that clarity of vision, realizing it is another thing altogether.
It’s possible that one key factor here is that cybersecurity practices are built backwards. The focus is often on technology and quick wins instead of measuring resilience, and processes revolve around the capabilities of resource-intensive products. Before anything else, CISOs need a team with a varied and up-to-the-minute skillset working below them. Security tech is only as good as the human configuring it, after all – just ask Capital One, whose misconfigured S3 buckets allowed a breach that affected 100 million US citizens in July 2019.
Building a cybersecurity culture is key
Of course, it isn’t only misconfigured tech that leads to security incidents. Phishing and spear-phishing are still the most common ways that threat actors gain access to networks, and often the point of entry is a regular, non-technical employee with little to no cybersecurity awareness. And as businesses look to secure everything from their CEO’s inbox and customer data to their application code, the attack surface is ever-widening.
Technological measures are necessary to respond to such numerous attack vectors effectively, but they are by no means a panacea. Every employee, technical or otherwise, should possess some level of cyber awareness, while security professionals require the right tools to upskill at the right time. To achieve this, businesses must build a security culture from the ground up, ensuring that everyone from the receptionist to the CEO understands the role they play in securing the business.
How Immersive Labs empowers CISOs
The problem for cybersecurity leaders is not measuring the effectiveness of technology; it is measuring the effectiveness of people. This is especially difficult for CISOs joining new companies, where they need to grasp their employees’ capabilities at speed. Our platform’s numerous management features make tracking and developing your organization’s cyber skills easier than ever. From setting your team objectives to ticking off skills against the MITRE ATT&CK framework, you are in total control of the development process. Our Cyber Capability Score even wraps this up in one handy figure and shows how your organization fares against others in its industry.
If you would like to see Immersive Labs in action and check out our management features for yourself, head on over to lite.immersivelabs.com. This is a free, stripped back version of our platform, but it will give you an idea of the scope of Immersive Labs.