The Challenges of Today’s CISO: Navigating the Balance of Compliance and Security
How difficult is the CISO’s job? Imagine a scenario as a security leader where you’re in charge of keeping your organization’s most valuable assets safe from an increasingly sophisticated and growing number of threats. Remote workforces and advancing technology create more attack surfaces while your adversaries grow more sophisticated and aggressive by the day. Further complicating matters, security leadership traditionally demands perfection—meaning one security incident could cost you your job.
Few truly understand the day-to-day challenges encountered by today’s CISO. Modern security leaders must meet higher standards and face constant questioning from management. Chuck Markarian, CISO at PACCAR, explains the typical scrutiny CISOs encounter, which cover the gamut of not patching all the security gaps, taking responsibility for an incident and answering for the lack or choice of security tools. He sums it up, “If the bad guys are right once, they can get in. We have to be right 100 percent of the time.”
Compliance is another important aspect of a CISO’s focus. In addition to meeting management’s high expectations, modern CISOs must ensure their organization doesn’t run afoul of the growing number of data security regulations including GDPR and CCPA, which can result in stiff penalties for non-compliance.
In light of these challenges, what can today’s CISO do to successfully balance numerous compliance and security responsibilities despite seemingly, at times, insurmountable odds? The New CISO podcast spoke to security leaders—KT Boyle, US Army Cyber Command, Sean Murphy, CISO at BECU, and Chuck Markarian—to gather first-hand tips for success for today’s CISO.
Your success as a security leader may well hinge on the quality of the relationships you build with both fellow security pros and the executives. As a CISO, it’s critical to nurture strong bonds of communication and trust with the executive level. “You need to develop those relationships. You need to get them to know who you are, the program you’re developing around security, why it’s important to them. If I were starting over in my career, I’d push hard to get those relationships in place,” says Chuck Markarian.
Without strong executive-level relationships, security leaders can face unrealistic expectations. Management expects security leaders to fully cover their exposure to risk, but when there is an incident blame often falls on the CISO who is in charge of security. “Going back three to four years ago, it was common for action one being a breach, action two being a new CISO brought into the organization, and action three being PR recovery,” explains Sean Murphy.
When incidents occur, the relationship a CISO builds with the executive level can make all the difference. With understanding and trust in place, upper management is aware that breaches do happen and aren’t necessarily the result of a CISO’s mistake. The focus then becomes a collaborative remediation effort rather than placing blame, helping drive a faster return to normal business operations.
Residing atop an organization’s security structure can be lonely, and the modern CISO needs to create vibrant relationships with other industry security leaders. Building solid network bonds with security colleagues can provide a supportive community, which is critical for professional collaboration and personal wellbeing.
Communication between teams and levels within an organization regarding risk management and security posture is critical today. The gelling point of a security program occurs with the establishment of effective lines of communication between departments. CISOs must foster this communication, with the first step being an interdisciplinary council for table talk conversations on enterprise risk. Forming an in-house risk council is a major compliance requirement in many industries, so this step checks an essential box ahead of regulatory audit time.
A significant part of a CISO’s job is clearly and effectively communicating enterprise risk and security posture to the executive level. These discussions should include what the organization may be lacking, such as consistent patch cycles, timely removal of legacy technology, or efficient integration protocols. Interdisciplinary councils provide the forum for these informative discussions, allowing the flow of information between departments that’s essential for executive risk and security decisions.
Even though difficult conversations can result from these communications, modern CISOs need to be transparent and avoid masking the truth to please management or ensure job security. Management needs accurate risk data to make the best business decisions, and security leaders don’t serve anyone by intentionally or unintentionally brightening the view. Sean Murphy discusses the imperative to shoot straight, “You’re not doing the organization any justice if you’re constantly trying to spin the news, so it sounds better going up. You’re not protecting your job—going back to the idea of the scapegoat being the CISO, if something goes wrong and you didn’t give the objective data, then you probably deserve to lose your job. Be objective, be fair, be reasonable, be right, but always communicate the message as you see it.”
As crucial as honesty is when conveying the facts, CISOs also need to communicate with and project confidence when addressing risk. Security leaders shouldn’t induce panic by painting gloom and doom—rather, instill the belief they’re doing all that’s possible for the organization in terms of protection, detection, response, and recovery. A CISO must speak the truth with a confident optimism as Markarian explains, “You’re informing them, not holding back, and they get it. It does scare them, but at the same time, you’re giving them confidence that the program they’re funding is heading in the right direction.”
Team building and leadership
KT Boyle can’t hide his enthusiasm when discussing his role as US Army Cyber Command in building an insider threat program for the military. He readily shares his green beret background and is quick to quote the SAS motto of “he who dares, wins.” This is a man well suited to speak on the leadership and team-building skills needed by today’s security leaders.
Boyle breaks down team building from a security perspective into three core components. The first is human resources—the faces behind the organization of which Boyle says, “Human beings, at the end of the day, are the cornerstone and foundation of any good team. One of my big things I ask the team when we bring on anybody, is “are they a good person?”
Clear visibility into all disparate environments and tool efficacy also play a prominent role in the team building necessary to launch a successful security program. Effective and efficient tools make the hiring process significantly easier, removing the need to have subject matter experts on every level.
The CISO role is one of leadership—always acting as an advocate for removing the barriers to a team’s performance. Leaders must be engaged, constantly asking questions and analyzing. When asked to describe the behavior of an unsuccessful team lead, Boyle responded, “Indifference is the indicator for me—they’re not engaged, not asking a damn thing, and they end up turning your analytics group into a ticket closing help desk.”
The role of today’s CISO comes with a multitude of challenges—protecting an ever-growing attack surface, remaining compliant with numerous security regulations, and consistently pleasing ever-demanding executive teams. Modern security leaders must deliver transparent and honest enterprise risk assessments with steadfast confidence, even when the news doesn’t fit the management’s desired narrative. There are opportunities to shine and build a career building trust.
A modern CISO’s success can depend on the quality of relationships and lines of communication built with executives, industry peers, and team members. Leading a security team today takes honesty, integrity, resilience, and unshakable confidence because even the best security pros aren’t right all the time. Despite this uphill climb, CISOs who invest in relationships, foster communication, and master leadership and team-building skills can successfully balance the numerous compliance and security responsibilities that come with this critical security role.