8 things CISOs should be thinking about, but probably aren’t

CISOs have plenty of issues on their minds, everything from building a secure infrastructure to blocking ransomware attacks to ensuring that internal staff doesn’t misuse or steal data. With so many responsibilities and so little time, it shouldn’t be surprising that even the most conscientious CISO is likely to miss at least a few critical issues.

Here’s a rundown of eight often-overlooked areas that CISOs should immediately address.

1. Ensuring that third-party partners maintain strong security

Third-party partners, such as clients and service providers, are challenging to monitor yet frequently targeted by cybercriminals who are eager to broaden their attacks. Myke Lyons, CISO at data intelligence software developer Collibra, advises CISOs to work closely with their partners to ensure they’re diligently following best security practices. “There’s no clear-cut or simple way, but assessing vendors, libraries, third-party processes, and connectivity to providers is critical,” he notes. “Governance is key.”

2. Investigating innovation opportunities

After years on the job, many CISOs get stuck in a rut, focusing almost entirely on meeting basic business security requirements and keeping their heads down. It’s an attitude that inevitably leads to trouble. “If we don’t innovate, we can quickly find ourselves struggling to remain relevant amid business growth,” cautions Noah Beddome, CISO at online home sales service Opendoor.

Over time, a CISO who fails to innovate damages both the organization as well as their own reputation. “We need to push our teams and ourselves to convert our thoughts into proposals, and to not be afraid of things not working out,” Beddome says. “RFCs (requests for comments) start discussions, and even if the end result is not what you planned it can lead to great progress,” he adds.

3. Understanding their enterprise’s data footprint

It’s impossible to completely protect something that’s not fully understood. Many of the most notorious and costly data breaches have struck organizations that didn’t know exactly how much data their enterprise was storing, as well as its type, age or location. “Knowing what data you inherited when you started and what continues to proliferate is critical,” says Marlys Rodgers, CISO and head of technology oversight for CSAA Insurance Group.

Rodgers says that CISOs also need to fully understand the amount and scope of data that lies beyond their direct control. “Who has your data, and what controls are applied, is as important as the [data] you have direct control over,” Rodgers notes. “The totality of your footprint is also knowing how and where to plug the leaks,” she adds.

4. Strengthening security team support and focus

CISOs should be focused on building and operating within a culture and environment that supports their teams and enables them to succeed. “Effective cybersecurity is largely the result of an empowered culture and evolved environment, one that starts with leaders at the top,” observes Joe McMann, CSO and strategy at the cyber unit of business advisory firm Capgemini.

McMann suggests that CISOs should analyze their security operations and consider changing direction if their teams aren’t successfully addressing key risk areas or working together collaboratively, even with management support. “Finally, CISOs need to ensure that their teams are working with strategic partners who can help them achieve these goals and align with the overall culture and strategy,” he adds.

5. Thinking ahead

The threat landscape is constantly evolving. “Focusing on a point-in-time assessment is understandable from a tactical perspective, but generally fails to meet the strategic goals CISOs should be addressing,” says Doug Saylors, cybersecurity director at Information Services Group, a global technology research and advisory firm.

Many CISOs are so focused on dealing with security’s tactical aspects that strategic considerations are often neglected, Saylors says. “Bolting on security as an afterthought is likely to leave significant gaps that will leave organizations vulnerable to exploits which have not yet surfaced in the market,” he notes.

Saylors estimates that 80% of the CISOs he works with are focused on tactical versus strategic goals. “The other 20% have held CISO roles for ten-plus years and understand the importance of strategy and business impacts,” he says.

Saylors suggests elevating the CISO role to a strategic level by examining how the enterprise has evolved in the past 16 to 18 months and using that insight to update the cybersecurity roadmap. “If needed, leverage providers in the market that can help deal with commodity security functions to free up the CISO and senior cybersecurity engineering resources to regain a strategic advantage,” he adds.

6. Maintaining return on existing security investments

Investments made in security tools, cyber talent, and incident response processes can’t be allowed to lie fallow. All need to be periodically tested to ensure they’re still able to meet their planned goals. “CISOs deploy technical resources in tools and human capital to configure those tools and develop processes and procedures to detect and respond to attacks,” says Andrew Turner, an executive vice president at business advisory firm Booz Allen Hamilton. Yet, too often, the true effectiveness of those tools and plans are only truly tested when it’s too late—during a significant incident or full-scale breach.

Turner advises implementing continuous testing programs at multiple levels, ranging from tabletop exercises to technical testing, such as purple teaming, a security methodology in which teams work closely together to maximize cyber capabilities through continuous feedback and knowledge transfer. “Frequent and recurring tabletop exercises increase the muscle memory for the organization,” Turner says. “Technical testing, like purple teaming, validates that your security stack tools are blocking or logging malicious activity and that tuned analytics are firing when malicious activities take place within your environment.”

7. Finding ways to build enterprise management unity

Security, IT, and business teams often operate in independent silos, hindering effective communication and swift problem remediation. Encouraging collaboration between these parties, combined with a full-stack observability strategy driven by business goals, can help CISOs more effectively integrate enterprise security.

CISOs need to be collaboration and innovation drivers, providing leadership that cascades into individual teams’ cultures, says Gregg Ostrowski, a regional CTO at Cisco unit AppDynamics, an application performance management and IT operations analytics technology provider. “By better aligning with the CIO and other business leaders within an organization, CISOs can foster an environment that allows security and IT teams to work in lockstep, setting up the brand for success,” he explains.

CISOs and security teams have long been blamed for blocking or hampering innovation. “Now, more than ever, is the time to build a culture that allows teams to drive toward overarching business goals,” Ostrowski says.

8. Developing a truly effective method to sharpen threat awareness

Poor threat awareness is detrimental to enterprise security planning. Failing to adequately monitor threat trends can lead to technologies, services, and practices that have no clear connection to actual risks, threats, and adversaries. “The organization then becomes technology rich but security poor,” warns Alicia Lynch, CISO at SAIC, a firm that provides IT-related services and support to government clients.

Lynch recommends establishing a process to collect and filter trustworthy information on key trends being observed in the wild and fusing those insights with internal organization intelligence to identify security gaps that need to be addressed before attackers can gain the upper hand. “Without a mature methodology to filter the noise and focus on items relevant to their organization, CISOs will miss key security-related intelligence,” she says.