One of the hardest and most complex jobs in technology is being a chief information security officer (CISO). Not only are you concerned with keeping your company protected from a breach, but also, you’re managing a multitude of issues like:
According to a report from the Enterprise Strategy Group (ESG), on average, a CISO lasts just two to four years before moving on to another position — and burnout is a driving factor. This can lead to mistakes, which can further feed the burnout cycle.
In this article, we outline three of the top mistakes we see CISOs consistently make. These
mistakes prevent many CISOs from moving their program forward, achieving the results they want and ultimately making enough progress to make them want to stay around and finish the job.
Mistake No. 1: Not understanding the business.
Historically, security was viewed as an IT problem, which disconnected it from the business, but that has changed with the evolution and rising sophistication of cybersecurity threats.
Security involves an intricate balance of people, processes and technology that needs to be better understood by all employees, leaders and board members. It’s really a team effort; the CISO and security team need help and have every right to expect more from their peers in the business. On the flip side, CISOs need to hold themselves accountable by building security programs based on understanding how the business generates value to stakeholders.
Have conversations with people throughout the business:
Mistake No. 2: Not keeping up with the latest threats and adjusting your program accordingly.
Threat intelligence is just information. But, when it’s analyzed, it becomes actionable intelligence – a critical component that allows organizations to keep up with the latest threats. It’s important to know how to acquire threat intelligence and how to use it to create a smart cybersecurity program.
For CISOs, it’s important to curate intelligence that helps determine who wants what you are trying to protect, how they would do it and how prepared you are to defend against the attack. Almost as important is ensuring your security team has the skills and experience to consume the output of threat intelligence, create an actionable plan and weave it in as a meaningful part of your program.
Mistake No. 3: Not being clear about success factors for big technical projects prone to failure.
Why do large technology projects fail? CISOs often understate the building blocks required to be in place and overstate the capabilities of what the technology can and cannot do. Projects like network access control, governance-risk-compliance platforms and identity management can be successful, but many security programs fail to understand the breadth and complexity of those initiatives.
For example, network access controls projects will not be successful without a strong asset management capability. GRC programs fail because several teams need to be involved to justify the investment, typically see massive scope creep and ultimately require too much customization to support it long-term.
CISOs should really understand what problem needs to be solved, solve that problem and avoid biting off more than they can chew. Think about the entire solution and dependencies, weave it into the business operation/strategy and measure its effectiveness over time. Security people will continue to be scarce, so be sure you have the skills to manage technology you deploy, either in-house or through a partner.
By addressing these three mistakes head-on, CISOs can not only significantly strengthen their business’s security posture, but also see the successes they need to continue doing great work and avoid burnout.
Download this helpful guidance in our handy CISO Checklist.
At Nuspire, our mission is to make clients fanatically happy through a relentless pursuit of excellence. Let’s talk about how we can work together to provide a new, fresh and inspiring approach to closing cybersecurity gaps.