In this Help Net Security interview, Okey Obudulu, CISO at Skillsoft, talks about the increasing complexity of the CISO role and challenges they face. He discusses the business environment, tech innovation, the evolving regulatory landscape, limited resources, and budgets.
Obudulu also provides recommendations for CISOs, emphasizing the need to embrace continuous learning across multiple domains and build strong partnerships throughout the organization to instill a company-wide culture of security awareness.
With the increasing complexity of the CISO role, what are the top three challenges you believe they face, and how can they best address these?
The first major challenge faced by CISOs is the increased complexity of today’s business environment, which is heightened by the rapid pace of tech innovation and the evolving regulatory landscape. Organizations need to navigate this business environment to be successful, which often means adopting new technologies, developing new processes, or expanding to new markets to drive growth.
However, all this complexity leads to greater risk, which means that CISOs are playing an increasingly vital – albeit more challenging – role in setting up the business for success. This includes protecting the organization from new and emerging threats, ensuring regulatory and compliance requirements are being met, and establishing trust with new and existing customers – all of which are essential for business success today. Navigating these complexities makes the CISO role not only more challenging, but more essential to the success of the business overall.
Limited resources and budgets are another major challenge faced by CISOs. The threat environment is not static, and attackers will constantly look for new and innovative ways to achieve their goals. At the same time, technology itself continues to evolve, which means that a company’s tech stack will also change over time. To keep pace with both the threat landscape and rate of tech innovation, organizations need to make ongoing investments in security, which becomes challenging from a resource and budget perspective.
Lastly, CISOs are challenged to keep their skills and knowledge up to date. Working in security means needing to build expertise that is both broad and deep, spanning multiple domains across technology and compliance. It is difficult for any one individual to possess all this knowledge, which means CISOs need to ensure their teams are also building new skills and expertise. As the business and technology environment changes, learning at both the individual and team level needs to be a constant when it comes to working in cybersecurity.
With the emerging emphasis on CISOs as ‘guardians of customer data,’ how do you view the balance between the legal and moral duty of disclosure to different stakeholders in the event of a breach?
The legal and moral duties of a CISO should be one in the same. Ethically, a CISO should be taking all the steps to work closely with the leadership team and ensure the organization is doing everything it can to protect the privacy of its customers. While there are laws and regulations in place to ensure organizations are taking these steps, this is something CISOs should strive for regardless of the legal obligation.
At an individual level, all of us – not just CISOs – are consumers of other technologies and businesses, so we understand the importance of customer privacy and protection firsthand. From a moral and ethics perspective, that means doing everything we can to ensure protection and transparency when it comes to customer data.
With the changing dynamics of the cyber insurance market, how important is it for CISOs to include personal liability cover in their cyber insurance contracts?
The personal and professional stakes of being a CISO today have never been higher. When it comes to things like Directors and Officers (D&O) Liabilities Insurance, it’s really important that those protections are also afforded to the CISO. CISOs are often in the position where they are making decisions on behalf of the organization that could lead to personal liability, which means they should have as much protection as the rest of the C-suite and board.
Given the critical nature of questions like ‘where is the data?’ and ‘who is accessing it?’, how do you recommend CISOs maintain a clear grasp on these core elements amidst the evolving threat landscape?
Data mapping and data governance are foundational steps in any cybersecurity strategy. There’s an expression that you can’t protect what you don’t know you have, so every CISO needs to have a clear understanding of what data is being collected, how it’s being collected and why, who’s accessing the data, how it’s being used, where is the data being stored, is it encrypted or unencrypted, etc.
Having this awareness allows CISOs to develop data governance and build data protection strategies. This can include decisions about which data is most sensitive, including anything related to PII, and what might be considered more benign. Data mapping is an essential part of the data governance process and is foundational to every cybersecurity strategy.
In the face of all these challenges and developments, how do you envision the role of the CISO evolving over the next 5-10 years?
The evolution of the CISO role has been very interesting. Up until now, many CISOs came to cybersecurity through different paths – either organically as engineers, systems administrators and other technologists or as executives appointed to the role. Moving forward, I anticipate these skill sets will roll into one, and that CISOs of the future will be much more well-rounded across technology, leadership, and risk management.
In essence, CISOs are business executives who are responsible for managing technology and compliance risks on behalf of the organization. The role requires strong technical skills and expertise, as well as the business skills needed to function at the executive and board levels of leadership.
Looking towards 2024, what would be your top advice or recommendation for CISOs as they navigate the dance between technology, leadership, and risk?
Learning is essential for survival in the CISO role. To be successful in the role, CISOs will need to embrace continuous learning across multiple domains, including security, privacy, technology, leadership, business, and risk management. This includes keeping up with new and emerging technologies, understanding the privacy, legal and compliance landscape, and developing strong “power” skills like communication and collaboration to be the most effective leader possible. CISOs who aren’t continuously learning and investing in professional development will eventually see a decline overtime.
My other advice for CISOs is to build strong partnerships throughout the organization, especially across the engineering, IT, legal, and executive teams. Leaders in those areas should view the CISO as a partner, not an overlord, which will cut down on friction and create the right environment for success. When CISOs are collaborating with the rest of the organization, they’re more likely to instill a company-wide culture of security awareness, which is imperative to successful cybersecurity strategies today.