The growth of cybercrime has been relentless. Headlines are littered with reports of crippling cyberattacks on major companies and ransomware groups terrorizing organizations around the globe. In fact, the UK governments’ ‘Cyber Security Breaches Survey 2023’ reported that in the last 12 months, there were 2.39 million instances of cybercrime across all UK businesses.
There’s good reason to be concerned. According to the UK’s National Cyber Security Centre, in the next five years the marketplace for commercial hacking tools and services will expand. They have warned that this will lead to more victims of cyberattacks and a more unpredictable threat landscape.
With the industry evolving at pace and cybersecurity continuing to grow as a priority, Chief Information Security Officers (CISO) will be under pressure to safeguard their organization. And while ransomware and data breaches grab all the attention, the fact is that the lack of support from board members, underwhelming technology, and lack of funding is making an already difficult job even worse. It’s no surprise then, that over 1 in 4 UK CISOs feel overwhelmed when they manage a cybersecurity incident and are left feeling like a ‘one man band’.
So, how can CISOs overcome this pressure and ensure they have the right support and resources to build a cyber resilient organization?
Stress, strain, and security fatigue
Cybersecurity, a fast paced and agile industry, often overlooks the humans behind the threats and security – in particular, the CISO. The unique role of balancing the responsibility of combating sophisticated threats while communicating the business case of why cybersecurity should have a seat at the c-suite table, is adding significant stress to the CISO.
In their position, it is expected that CISOs will inevitably shoulder a high level of responsibility when it comes to security incidents. In the UK, 80% of CISOs feel mostly or fully accountable when their organization face a cybersecurity breach, leading to mounting stress. This is illustrated further in the recent ‘Mind of the CISO’ study, where a UK financial services CISO disclosed the pressure of their role saying, “We carry a lot of risk and potential stress on our shoulders. If something does go wrong, a lot of fingers get pointed at our role, even when it’s sometimes not our fault.”
However, changing this mindset is crucial. After all, cybersecurity is a shared responsibility and is everyone’s business. By communicating that the cost of a breach affects the entire business – from profitability, reputation, and data loss – CISOs can ensure cybersecurity is taken seriously from the top down.
Fabien Rech is SVP and GM for EMEA at Trellix.
Getting on board with cybersecurity
When it comes to cybersecurity, there is often a large discrepancy between what the CISO needs to be successful and what the board is providing. There is a lot at stake when it comes to cybersecurity, and this disconnect can make it difficult for the CISO to carry out their role effectively.
In the UK, a huge 36% of CISOs find it extremely challenging to get the support needed to maintain cybersecurity strength and a further third (34%) find the lack of buy-in from board members a key challenge in their role. This lack of attention could lead to businesses becoming increasingly vulnerable to threats as there is not enough action being taken to remediate this.
To bridge this gap, the CISO and board should have, regular open conversations when it comes to cybersecurity. They must find a common data-language to understand and discuss cyber risks, how to manage them and ensure that key decision makers prioritize a strong security posture across the business.
The CISO has an enterprise-wide remit. To become resilient from cyberattacks they need backing within the organisation as well as the budget and technology to support this responsibility.
Investing in the right tech, not the hyped tech
Just as the threat landscape evolves, so should the security that can protect organizations. Currently, siloed security and a lack of advanced, integrated solutions are direct contributors to stress amongst UK CISOs. This is because organizations often continue to have legacy security infrastructure in place which makes it difficult to integrate the latest technology. Additionally, some organizations invest in too many pieces of technology, rather than the solution that is best fit for them – 64% of UK CISOs claim their organization has over twenty individual security solutions in place.
The consequences of this are stark with almost a quarter (23%) of UK CISOs having attributed the last major cybersecurity incident they managed to technology not detecting a breach. In this way, technology, which should be an enabler for CISOs, is instead adding to their workload and ultimately putting organizations at risk.
However, it’s no longer enough to invest in any technology which simply acts as a shield in defense of incoming attacks. CISOs must have a multi-pronged approach to cybersecurity. Prevention is a critical first line of defense and the entire organization must be educated on the latest threats and tactics to remain vigilant. This culture of security must be supported by investing in the right technology to help CISOs and security teams build a more resilient organization, turning the once static shield into an adaptable one.
Empowering the CISO
Ultimately, the role of the CISO is tumultuous – the high importance coupled with the significant risks associated creates a perfect storm leading to stress, worry and mounting pressure. If this is not alleviated, it could head down a very slippery slope for CISOs, making it harder to retain staff, catch threats early and improve security.
From a resources and investment perspective, outdated and siloed security cannot keep up against today’s threats, let alone tomorrow’s attacks. CISOs must look towards consolidating their security tools to connect the dots and eliminate gaps in the security architecture. This can mean the difference between a well-protected organization and a debilitating attack.
What’s more, CISOs must ensure they are on the same page as the board members to better understand the security risk the business is facing and what is needed to build a more resilient environment.
There is a big opportunity here for CISOs who are able to work well with their board and key decision makers to ensure security continues to be a priority.
