Top CISO Challenges

Written by

Read more from CISOs: 

Organizations of all sizes are facing an ever-evolving threat landscape, where encryptor-based ransomware is giving way to hack-and-leak campaigns, one-size-fits-all cyber-attacks to targeted hacks and on-premises vulnerability exploits to bulk software supply chain attacks.

This responsibility of combating this evolving threat falls squarely on the shoulders of CISOs, who face a multitude of complex challenges.

From navigating the treacherous waters of software supply chain vulnerabilities to mitigating the impact of zero-day exploits and anticipating the malicious use of AI, CISOs wear many hats and face diverse threats. They are the gatekeepers of our digital world.

Here are some of the biggest challenges CISOs have shared with Infosecurity Magazine.

Sophistication of Cybercriminals

Jason Lau, CISO, Crypto.com

“The pace at which cyber threats are evolving is a significant concern. Criminals are becoming increasingly sophisticated, employing advanced techniques like AI and machine learning to conduct attacks. Coupled with the exponential growth of IoT devices, which widen the attack surface, we're facing a complex cybersecurity landscape.

Additionally, the current global shortage of skilled cybersecurity professionals is another major concern, as it challenges our ability to adequately defend against these threats.”

Ensuring Availability 

Tal Arad, CTO and former CISO, Carlsberg

“For me, because I'm in a manufacturing company, availability is the top thing. As a smart person once said, the beer must flow. I have a little ceremony every morning where I check my phone and hope that nothing has happened during the night and we’re still up and running. It can be a scary job sometimes, especially when at a critical juncture like going into hypercare or when there is a big event happening.

I think it's also the fact that it's a never-ending arms race. You can see already the next thing coming with AI around the corner. I don't think we're in a place yet where we need to start preparing for the war between us and the machines, but it is going to make our lives interesting over the next few years when all the various players within the attack groups are starting to use more AI and large language model-based tools.”

Read more: How Threat Actors Hack Large Language Models

 Increase in Ubiquitous Bandwidth

Fredrick “Flee” Lee, CISO, Reddit

“From a technical standpoint, I’ve noticed that there has been a significant increase in ubiquitous bandwidth. For example, your phone is permanently connected at a high enough bandwidth that hackers have multiple options and few constraints when it comes to compromising and leveraging that device. This poses a major challenge for the security community.

If we were to examine issues from the inside, security teams continue to be outnumbered and it’s tough to find practitioners who are also builders and software engineers. When you look at all disciplines within the security industry, there are simply not enough people and too few of them come from diverse backgrounds and experiences. This results in having limited understanding and protection of human experience. For example, how do we think about the credentials that women in patriarchal societies are required to provide and how their privacy is protected?

It is unrealistic to think that people without lived experiences can understand all the different cultures. It’s important that we have people who have experienced the security and privacy considerations that come with these types of security issues. Without true diversity, we will always struggle to understand how to address and mitigate them.”

Supply Chain Security

Tim Brown, CISO, SolarWinds

Nation-state actors are a big concern. Because of the Ukraine war, Russia has stopped participating in shutdowns and they seem to be linking up more tightly with their organized crime components in the country. China is very active in utilizing vulnerabilities and stealing IP to move its agendas forward.

The supply chain is another big concern because I think some of the low-hanging fruit of security will be those product libraries that are being utilized by many that don’t have the maturity needed to build them securely. So, they’ll be a ripe target moving forward.”

"I know about my capabilities, but I don't know my adversaries' capabilities."Marene Allison, Former Global CISO, Johnson & Johnson

External Threats 

Marene Allison, Former Global CISO, Johnson & Johnson

“The outside threat. Having run and secured a major corporation during the coronavirus, I know that the security technologies are strong. What I don't know is what are the capabilities of nation-states that are trying to get into that and what they are doing.

When you know the gross national product of China, Russia or Iran can be thrown at creating cyber technologies to hack into corporations or government agencies that’s when you don’t know what is next.

Having lived through NotPetya and several other nasty things running around out there, it gave me solace that you can have a program that prevents it but if I was head on with a nation state and they were coming to attack me personally, would I be able to handle it? That’s the biggest thing that I think multinational CISOs probably ponder at night.

I know what I know about my organizations. I know about my capabilities, but I don't know my adversaries’ capabilities and what they could do to me.”

Access and Identity-Related Issues 

Josh Lemos, CISO, GitLab

“One trend we're increasingly seeing in several reports is that a large majority of cyber incidents organizations are now facing are access and identity-related.

Many of these organizations have shifted from fully hosting their applications and software on-premises to hybrid, multi-cloud architectures, where security measures heavily rely on identity-based processes.

As an industry, we’ve eventually gotten good at mitigating some of the threats, like ransomware – which still happens frequently but does not have the success it used to have. However, we’ve been lacking in identity and data security.

We should now focus our efforts on understanding our data, its sensitivity, its governance, how we provision your access policies with least privilege and review our authorization policies to ensure only people who need to access some part of your system will be granted access.”

"The evolving regulatory landscape will drive the need for more cyber literacy at all levels."Jon France, CISO, ISC2

Failure to be Fully Prepared 

Ollie Whitehouse, CTO, UK National Cyber Security Centre

“I’m not sure we’re fully prepared for the ‘when'. When the big event happens – and one will happen in our lifetime – do we have enough capacity and capability to be able to respond on an enduring basis that goes beyond weeks?

If I look at the UK’s private sector, there are no more than four to six companies that are able to deal with operational technology (OT) cyber-attacks at scale, for instance.

That’s why NCSC needs to develop better market signaling solutions.

We also introduced the Cyber Incident Response (CIR) Level Two scheme earlier this year. Level One was for organizations that are able to deal with threats of national importance. Level Two will be dedicated to enhancing private-sector companies’ incident response maturity to be able to deal with commodity threats at scale.”

New Regulations

Sam Watling, Head of Critical Asset Security, TUI Group

“We have quite a lot of incoming regulation and directives across Europe and for us NIS2 is very relevant as it focuses on critical infrastructure, as we have airlines and cruise companies that are in scope of that regulation.

There are also ongoing external threats, such as the increase in ransomware as a result of the war in Ukraine. TUI has not been hit particularly by ransomware, but the number of instances is certainly increasing. It’s not something that’s going to go away while people are paying the ransoms and there’s a continuing profit cycle.

As with most organizations, we try to stay middle of the pack, you don't want to be the least performing in terms of cyber resilience, but you also don't really want to be the top because it probably means you're spending too much money.”

Complexity of Systems

Jon France, CISO, ISC2

“The growth of the general threat landscape at a macro level, which is caused by more reliance globally on digital systems. The complexity of systems is going up, too, so the breadth and depth of threats are growing, which is putting pressure on security leaders.

The sophistication of attackers is also going up, which requires sophistication in defenders – it’s an arms race.

Then it's risk management, which is how we quantify and treat those threats – what do I treat first and to what level? For security leaders, the answer is getting closer to what the business does, which requires understanding the language of business and what is important to the stakeholders in your organization.

You can see with the new SEC rules that we are starting to require literacy in the boardroom around these threat vectors. You’re starting to see the baseline of regulation. In the EU alone, there is NIS2, the Digital Operational Resiliency Act (DORA), the Cyber Resilience Act (CRA), the Cybersecurity Act (CSA), the upcoming AI Act – all security-related.

The regulatory landscape in the cybersecurity world requires more effort, which will drive the need for more literacy at all levels.

Talking the language of risk is probably where you’ll see technologists moving into boardroom politics and machinations. Boards talk about risk so if you can talk about risks, you’re talking a common language.”

Building Capability 

Heather Lowrie, CISO, University of Manchester 

"My biggest concern within the industry is how we professionalize and build capability as an industry. It's really important as we move towards the chartered statuses that are that are being offered by institutions such as CIISec, that we really encourage people coming into the industry to take advantage of those professional and standard routes and work with professional bodies.

I’d like to see a future where everyone who’s coming in at entry level to one of my teams is working towards chartered status and is on that professional career path. It’s great to see a lot of the work that’s being done in that area, including by the UK Cyber Security Council."

What’s hot on Infosecurity Magazine?