Modern CISOs are navigating tough circumstances due to a myriad of complex challenges. Evolving threat actor tactics, techniques, and procedures (TTPs) leveraging new next-generation technologies have enhanced the sophistication of traditional cyberattacks – increasing urgency for CISOs to implement resilient cyber defense strategies.
However, an experience shortage driven by understaffing and evolving skill requirements is making that difficult to accomplish. There are more than four million unfilled security jobs in the world today, and research indicates that a majority of security professionals believe the skills shortage’s impact has worsened over the past two years.
CISOs are also dealing with heightened regulatory pressures coupled with corporate politics. In 2023, the charges against Joseph Sullivan (Uber) and Timothy G. Brown (SolarWinds) set a new precedent for corporate responsibility on matters of cybersecurity.
Both landmark cases exemplified the consequences of inaction on new cyber mandates like the Securities and Exchange Commission (SEC) regulations, Biden Administration Executive Order and NIS2 Directive, among other global measures.
The stakes have never been higher for CISOs to foster seamless cross-functional alignment on cyber risk mitigation and compliance across their C-suite and Board. If not, they potentially can be held liable for it.
Except as we’ve encountered time after time, generating collective buy-in amongst stakeholders with varying priorities and business objectives is far easier said than done.
This perfect storm of complexity is hindering CISOs’ health, well-being, and career stability. For example, a 2023 CISO stress study conducted by Cynet found that:
- 94% of CISOs said that they were stressed at work
- 65% expressed that their stress compromised their ability to protect their organization
- 74% left their jobs in 2022 due to work-related stress
- 77% said that their work stress impacted their physical health
This often translates into burnout that leads to CISO turnover and volatility. While the current CISO turnover rate sits at about 18% YoY, Gartner forecasts that as many as half of security leaders will change jobs by 2025, with about a quarter of them moving to different roles entirely due to work-related stress.
That is an unfortunate reality of our situation at hand, but it doesn’t need to be all doom and gloom moving forward. Light still exists at the end of this tunnel.
By adopting a transformational leadership approach, CISOs can take proactive steps to protect their organization (and themselves) from the ripple effects of an accelerating threat landscape.
Bridging Organizational Gaps
Modern CISOs must be more than just pure technologists. It is critical to serve as a transformational leader of influence that effectively aligns an organization’s security needs with other high-priority functions of the enterprise.
A transformational CISO is adept at leveraging enterprise risk strategies to articulate the correlation between cyber and business risk in terms that resonate across the organization.
This allows them to effectively articulate the severe consequences of successful attacks, regulatory non-compliance, and the business benefits of modern security capabilities, in turn justifying the importance of ample security resources, frameworks, and cross-functional collaboration in the eyes of executive stakeholders.
Compounded at scale, securing buy-in across those facets enables CISOs to implement resilient security strategies around high-value assets to safeguard the organization from major breaches that result in legal liability. It also helps cultivate a culture of security vigilance built on communication and collaboration amongst organizational leaders.
Covering those bases is worth its weight in gold when it comes to reducing anxiety associated with the CISO role. While new obstacles will always exist on the horizon, having robust resources and contingency plans in place helps ensure you can navigate them with agility.
Positioning Security Teams for Success
The transformational CISO role resembles that of a head coach in sports. Cyber defense is a team sport, and it takes a collective effort to defend an organization’s attack surface from threats in high volume and velocity.
The whole is better than the sum of its parts.
As such, security teams must be positioned with the right people, processes, and technologies that enable them to perform efficiently and minimize friction. When that fails to happen, it ultimately falls on the CISO in charge – another driving factor of the stressful conditions we are under today.
CISOs must be vigilant about ensuring their practitioners possess fundamental skills that are aligned to their organization’s evolving security needs, especially as rapid enterprise digital transformation continues causing companies to adjust operating models on the fly.
For example, during a company-wide transition from hybrid (on-premise/cloud) to fully cloud-based deployments, practitioners may need additional training on intricate cloud security concepts or zero-trust principles. This is where scaled cybersecurity certification training partnerships can be leveraged to upskill existing employees and equip them with the foundational knowledge essential to executing their role.
In addition, it’s important for CISOs to prioritize the implementation of security automation tools and robust security program frameworks.
Streamlining manual workflows via automation (likely to be AI-enabled) lessens the burden on understaffed security teams juggling numerous responsibilities, in turn reducing staff-wide burnout that often trickles up to the CISO’s seat.
Meanwhile, the latest version of the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework 2.0 is a perfect example of a well-defined program framework that promotes operational efficiency. It adds a cohesive structure to the organization’s policies, procedures, processes, and activities so that practitioners and tools operate more effectively, enhancing the performance of the whole end-to-end security architecture.
The challenges of cybersecurity’s evolving threat landscape and regulatory environment call for modern CISOs to transcend the traditional boundaries of their role.
Moving with a transformational mindset is critical to weathering the storm. By embracing this leadership style, they can cultivate a culture of security prioritization, empower their teams, and foster greater resilience for both their organization and themselves.
To learn more, join me in Washington, DC at SANS CDI 2024 on Dec 13-18 where I’ll be teaching SANS LDR514: Security Strategic Planning, Policy, and Leadership.
