What it takes to be a CISO: Success and leadership in corporate IT security

Some comments from Kaspersky Lab’s head of information security on the results of the CISO survey.

How do people working in a Chief Information Security Officer (CISO) position or its equivalent view cybersecurity? Which problems do they face? To learn the answers to those questions, Kaspersky Lab surveyed 250 security directors from around the world. Their opinions are very interesting, although I cannot say that I totally agree with all of my colleagues.

Let’s look at the question about measuring the key performance indicators for a CISO. It is no surprise that most respondents said that their main job criterion is the quality and speed of incident response handling. In modern businesses, people tend to stop thinking of cyberincidents as failures of security. It is good to see that most specialists are beginning to understand that incidents are inevitable, even normal. Today, cybersecurity is primarily about the survival of the company.

By survival, I mean having a level of protection that can guarantee that in the case of an advanced persistent threat attack, data leakage, or a massive DDoS, a company can restore itself without serious damages or lose no more than a predefined minimum. In other words, today’s CISOs focus on incident response.

On the one hand, that is really great. Just a couple of years ago, a “zero incident” view of cyberprotection prevailed, and businesses thought that CISOs should be able to shield infrastructure from incidents with an iron-clad guarantee. But on the other hand, focusing solely on reactive technologies is no better. As I see it, CISOs must strike a balance. All elements of adaptive security architecture are important: prevention, detection, response, and prediction.

Talking about risks

Most of the CISOs agree that the biggest risk to an organization after a breach is reputational loss. With that, I totally agree. I would answer the same way. Reputational damage is the basis of all other incident consequences — falling stocks, client confidence, sales, and so forth.

Reputation is the real reason we do not hear a thing about the majority of security incidents. If a company can conceal a cyberincident, it does — although in some countries, laws require companies to disclose any information about security problems to their shareholders or clients.

Apparently, CISOs see differences in the motives of cybercriminals and can tell state-sponsored attacks from financially motivated crimes. But as for me, I would place insider attacks at the top. In terms of losses, they are the most dangerous — and experience has proved a dishonest employee can potentially cause a lot more damage then external malefactors.

Influence on business decisions

It was interesting to see how security directors are involved in making business decisions. I was surprised to learn that not all considered themselves adequately involved. But what do they consider “adequate”?

Essentially, there are two strategies. Security can control every step the business takes, approving each move. Alternatively, they can serve as a consultant, with the business asking if its way is OK.

At first glance, total control seems more effective — and it would be, if cybersecurity was a goal in itself. In reality, that approach requires a lot more staff, and it slows business development. That can be particularly challenging for innovative companies that use business processes that do not yet have best practices for protection.

Budget justification

The answers to the question “Without a clear ROI, how do you justify your budget?” upset me. It appears that the most popular means of justification are scare tactics — cybersecurity breach reports and evaluations of damages done to the company by past attacks. Yes, that works — the first time, and maybe the second. But when the third time comes around, the answer will be more like “OK, that was scary. How do others manage things?”

It is more relevant for the business to learn about the experiences of other companies. Unfortunately, “Industry benchmarks and best practices” ranked seventh in the arguments list, although such information can be found in the open. For example we have a useful tool: our IT Security Calculator.

This study provides a lot of food for thought. You can dig into the complete report here.