The Top 3 Mistakes CISOs Make – and How to Fix Them

One of the hardest and most complex jobs in technology is being a chief information security officer (CISO). Not only are you concerned with keeping your company protected from a breach, but also, you’re managing a multitude of issues like:

  • Lack of resources
  • Inadequate technologies
  • Talent shortages
  • Ongoing barrage of attacks from cybercriminals
  • Compliance and regulatory requirements

According to a report from the Enterprise Strategy Group (ESG), on average, a CISO lasts just two to four years before moving on to another position — and burnout is a driving factor. This can lead to mistakes, which can further feed the burnout cycle.

In this article, we outline three of the top mistakes we see CISOs consistently make. These mistakes prevent many CISOs from moving their program forward, achieving the results they want and ultimately making enough progress to make them want to stay around and finish the job.

Mistake No. 1: Not understanding the business.

Historically, security was viewed as an IT problem, which disconnected it from the business, but that has changed with the evolution and rising sophistication of cybersecurity threats.

Security involves an intricate balance of people, processes and technology that needs to be better understood by all employees, leaders and board members. It’s really a team effort; the CISO and security team need help and have every right to expect more from their peers in the business. On the flip side, CISOs need to hold themselves accountable by building security programs based on understanding how the business generates value to stakeholders.

Recommended Actions:

Have conversations with people throughout the business:

  • What “really” produces revenue for the business (the assets)?
  • What would be the impact if those assets were affected, stolen or destroyed (the revenue and shareholder value)?
  • Talk with the C-suite. Explore specific areas of concern related to a breach:
    • CEOs – are concerned about reputation and shareholder value.
    • CFOs – financial impacts; the almighty question of “what’s good enough?”
    • COOs – downtime and operational impacts; we still have to “do business”
    • P&L owners – bonuses tied to financial performance; you need partners across the organization.
    • Workers – jobs dependent on them producing products/services; in the end, the controls have to be somewhat transparent to the end user so they can stay productive and have buy-in
  • Conduct informal conversations to create a more comfortable situation for people to share their perspectives.
  • Start or expand a security program based on a best practices template or established framework like NIST Cybersecurity Framework, ISO or PCI. Make sure to explain to others how it helps protect the business and its objectives.
  • Foster a culture that empowers people to do the right thing versus shame-and-blame behavior.

Mistake No. 2: Not keeping up with the latest threats and adjusting your program accordingly.

Threat intelligence is just information. But, when it’s analyzed, it becomes actionable intelligence – a critical component that allows organizations to keep up with the latest threats. It’s important to know how to acquire threat intelligence and how to use it to create a smart cybersecurity program.

For CISOs, it’s important to curate intelligence that helps determine who wants what you are trying to protect, how they would do it and how prepared you are to defend against the attack. Almost as important is ensuring your security team has the skills and experience to consume the output of threat intelligence, create an actionable plan and weave it in as a meaningful part of your program.

Recommended Actions:

  • CISOs should ask themselves the following questions:
    • Who would want to steal what you have, disrupt the business or destroy what you’ve built (the threats)?
    • How would they do it (the TTPs)?
    • What do you have in place to stop the criminals (the controls)?
    • Where are the gaps (the testing and validation)?
    • What should we do about remediation (the risk appetite)?
  • Once you understand the business’s strategy, and the cybersecurity program you need to build in order to enable and protect it, you execute. Slow is smooth and smooth is fast. Build it the right way, as outlined above, and you will be successful.
  • Identify open source threat intelligence data sources, threat frameworks including public sources like MITRE’s ATT&CK methodology, commercial off-the-shelf (COTS) platforms that streamline the data curation process and leverage partner MSSPs that specialize in threat intelligence to help scale the effort over time.
  • Develop a business threat model, then analyze it by comparing the types of security controls you have in place, assessing whether you are prepared to protect your business against the bad guys and identifying gaps. This is complex stuff; never be afraid, or ashamed, of asking partners for help.
  • Evaluate your security and technology architecture and evolve it based on threat intelligence insights that pinpoint vulnerabilities in your defenses.
  • Create a plan and roadmap for board members each quarter to show how you are improving the company’s security posture.

Mistake No. 3: Not being clear about success factors for big technical projects prone to failure.

Why do large technology projects fail? CISOs often understate the building blocks required to be in place and overstate the capabilities of what the technology can and cannot do. Projects like network access control, governance-risk-compliance platforms and identity management can be successful, but many security programs fail to understand the breadth and complexity of those initiatives.

For example, network access controls projects will not be successful without a strong asset management capability. GRC programs fail because several teams need to be involved to justify the investment, typically see massive scope creep and ultimately require too much customization to support it long-term.

CISOs should really understand what problem needs to be solved, solve that problem and avoid biting off more than they can chew. Think about the entire solution and dependencies, weave it into the business operation/strategy and measure its effectiveness over time. Security people will continue to be scarce, so be sure you have the skills to manage technology you deploy, either in-house or through a partner.

Recommended Actions:

  • Complete a technology rationalization exercise to see what’s in your toolbox before purchasing new technology.
  • With your critical assets as the backdrop for the analysis, overlay your technology stack (implemented and “on the shelf”) on top of the threat model/gap assessment you performed. See what technology gaps you actually have; you’ll be surprised by how many capabilities you already have that simply have not been implemented in production.
  • Evaluate the skill sets on the team to determine whether you have the technical ability to support the technology; if not, and it’s critical to the business, find a partner that can help.
  • Evaluate how you can fill security controls gaps with better architecture, design and manual processes. It’s always easier to design security into everything.
  • Educate and train security personnel to improve operations and retention.

By addressing these three mistakes head-on, CISOs can not only significantly strengthen their business’s security posture, but also see the successes they need to continue doing great work and avoid burnout.

Download this helpful guidance in our handy CISO Checklist. 

At Nuspire, our mission is to make clients fanatically happy through a relentless pursuit of excellence. Let’s talk about how we can work together to provide a new, fresh and inspiring approach to closing cybersecurity gaps. 

Have you registered for our next event?