What are the top priorities for CISOs today?

It is a tough time out there for CISOs. There is a skills shortage, increasing threats, decreasing budgets and an expectation to be able to work anywhere at any time. As we all do when time is tight, CISOs need to prioritise. We interviewed three experienced CISOs who have worked across Transport & Logistics, Insurance, Asset Management, and Professional Services to find out how they focus on their CISOs priorities.

Filtering out the False Positives in Threat Detection

The CISOs we spoke with described how understanding which threats to escalate presents a major challenge for them. There will always be a proportion of false positives in any threat detection solution. Filtering those out to focus on the genuine threats will help security teams to win.

An established security program will be protecting the network using the SOC triad* either in-house or as a service. Endpoint Detection and Response (EDR), Network Detection and Response (NDR) and Security Information and Event Management (SIEM) combine to cover the weaknesses of each tool used in isolation and provide comprehensive coverage. But the tools used in these solutions generate vast amounts of data. This can be noisy and complex.

Combine the above with the myriad other tools in operation and you have a vast amount of data to turn into intelligence. While it won’t be possible to eliminate false positives, there are ways to reduce them and help security teams focus on the threats that matter. Artificial Intelligence and Machine Learning are increasingly being touted as ways to handle this data.

By embracing automation, AI and ML CISOs will be better able to focus on high-level tasks such as threat assessment, while reducing repetitive tasks for their team. This is what the CISOs we spoke to are focussed on.

Prioritising the C in CISO

Explaining what they do to the board and justifying investments in security takes considerable time and focus.

Detailing why spending £X on securing Y number of employees will save the company £Z, is not easy. It is a balance of probability for the threats the company will face and there is no guarantee when the investment will prove itself worthwhile. But once you highlight the financials and show the value of a given investment, then decisions and investments can be made very quickly.

Security professionals also need buy in from the board for culture and behaviour change. Cyber security and a secure strategy are a priority for every member of a company and CISOs need time for staff to complete training, however busy they are and buy in from the whole business to take this seriously.

Looking after the Security Team

The skills shortage in the cyber security workforce continues to be an issue. That means CISOs are having to prioritise ways to keep their team happy. Teams can become demotivated. Especially when tasked with focussing on the most common alerts rather than the most meaningful. This comes back to the earlier point on filtering out genuine threats.

Experienced cyber professionals are also being asked to upskill more junior staff and this pulls them away from their ‘day jobs’. Getting this balance right can yield great results with teams trained to meet the specific needs of the company, so it is worth prioritising.

As the team grows it presents a further opportunity to reward these more experienced professionals with greater responsibility. This will keep them engaged but adds to the CISOs tasks as they will need to support those moving into management for the first time. They might be fantastic technically but lack natural management skills. CISOs need to prioritise working with HR departments to spread the load in supporting growth within their teams.

Building a security culture

Continuing the relationship with the HR department, CISOs need to instil the concept that, because of the threat landscape, security belongs to everyone. A sustainable security culture requires all members of staff to feel like a security professional and take it seriously. The CISOs we spoke with are working with their boards to raise the importance of security so that it can cascade through each department.

Once the importance is established it is time to roll out security awareness training. This has a reputation for being ineffective and boring, but this needn’t be the case. Newer training solutions now manage to ensure behaviour change through interesting and enjoyable content. Outsourcing this task can provide valuable efficiency savings.

Next, testing your teams with regular simulated phishing attacks will keep people on their toes. Tie good performance in these into rewards and recognition and the desired behaviour will quickly become standard. Further success can come from setting up a security committee with people across the business working to keep it top of mind.

Given reports that 91% of cyberattacks begin with spear phishing email its little wonder building a strong security culture has been a key priority for many years.

Effective Prioritisation and Support will allow CISOs to Thrive

The challenges are many, the cyber criminals are relentless, and the budgets are tight. Yet, the professionals we spoke to are not worried. They know what needs to be done and have prioritised where to start.

They also know that they don’t have to face these challenges alone. There is a wealth of resource available to help in managing cyber risks. Whether those are professional bodies and forums or trusted partners, working collectively will allow us all to achieve our objective of protecting organisations from threats and keeping employee, customer and partner data secure.

*The SOC visibility triad is a term introduced by Gartner to describe the three core pillars of network visibility needed to provide comprehensive security. These are EDR (Endpoint Detection and Response), NDR (Network Detection and Response) and SIEM (Security Information and Event Management).