Articles
>
The CISO, a superhero with conflicting powers.

The CISO, a superhero with conflicting powers.

CISOs as superheroes? CISOs are stressed. That's the finding of a study conducted by Vanson Bourne on behalf of Nominet, which surveyed 800 information security managers in the United States and the United Kingdom. Although France was not included in the study, it seems reasonable to assume that the situation there is similar. Why all the stress? Quite simply because CISOs take on the role of superheroes, superhero CISOs, without having the appropriate resources at their disposal.

February 5, 2021
Table of Contents
Discover how Tenacy structures your cybersecurity
Schedule a demo

Why the CISO is like a superhero

In comic books, superheroes fight threats that ordinary people are powerless to combat. In business, CISOs fight threats of a very specific kind. Unrecognized by employees and even by executives, cyber threats are still not taken seriously enough, even though the fight against them is becoming increasingly complex.

The stakes of cybersecurity are considerable

Of course, the daily routine of a CISO does not consist of preventing the world from collapsing. However, they bear a heavy responsibility, given the serious consequences that a cyberattack can have: slowdown or shutdown of production, website unavailability, delivery delays and contractual setbacks, damage to the company's image, etc.

The figures are telling in this regard, since already in 2019, 65% of companies had experienced an attack, with 57% of cases having an impact on business (source: CESIN Business Security Barometer, January 2020).

All CISOs are also aware that risks weigh heavily on their organizations, regardless of their characteristics, as experience shows that attacks affect all types of structures, sometimes with disastrous consequences. To cite just one example, let us remember the receivership of Lise Charmel, after suffering a two-month shutdown and losing several million euros.

The job is becoming increasingly complex.

Although the scope of the CISO's responsibilities depends largely on the size and organization of the company that employs them, the range of tasks remains considerable. These cover all or part of the five phases identified in the NIST Cybersecurity Framework (identify, protect, detect, respond, recover), which is a useful tool for managing cyber risks.

But the real complexity of the job is not just about scope: it is also due to the fact that threats are constantly increasing and now take all forms.

In concrete terms, this is illustrated by:

  • the variety of attack vectors— phishing or spear phishing (79% of attacks), CEO fraud (47% of cases), exploitation of vulnerabilities (43%), but also login attempts, denial-of-service attacks, bounce attacks via a service provider, not to mention cases of voluntary disclosure of information;
  • the diversity of the consequences of attacks, ranging from identity theft or infection by malware or ransomware, to data theft, cryptojacking, or website defacement;
  • the development of "risky" practices, including the transition to cloud computing, shadow IT, etc.

Conclusion? The CISO is supposed to see everything, know everything, anticipate everything, prevent everything, and—if an incident cannot be prevented—fix everything. In other words, they are expected to be security superheroes, without necessarily being given the resources to achieve this ambition.

The superpowers of the CISO are still overlooked

The role of CISO, while currently attracting curiosity and interest from recruiters, is still a relatively new profession. This undoubtedly explains, in part, why the potential of the role is not yet fully recognized by many organizations.

The challenges of cybersecurity are still poorly understood.

While most companies have taken the step of adopting basic malware protection, organizations as a whole are still lagging behind when it comes to cybersecurity.

  • Only 39% of them say they are sufficiently prepared in the event of large-scale cyberattacks.
  • Of the 89% of companies that use the cloud, 55% choose the public cloud, meaning they have no control over the outsourcing carried out by the host, and cannot audit or monitor how employees use it.
  • More than 40% of companies experienced negligence or handling/configuration errors on the part of an employee in 2019.

The conclusion is therefore clear: there is still a long way to go, with a lot of evangelization work still to be done on the part of CISOs.

The CISO: superhero or pain in the neck?

When an issue is poorly understood, the professions related to it are in turn misunderstood or even poorly perceived.

This is precisely what a number of CISOs are experiencing, perceived as friendly geeks at best, and, at worst, as "spoilers" who slow down or block projects.

An IDC study conducted by Devoteam shows that in more than a third of organizations, security remains an afterthought in initiatives and new projects.

In other words, two times out of three, the CISO is the expert who gets overlooked...or even carefully avoided!

What if CISOs exercised their powers?

CISOs can rest assured: even though the job is both complex and poorly understood, things are changing!

Cybersecurity is gaining ground

Organizations still have a long way to go when it comes to cybersecurity. But let's look at the glass as half full: they are making progress! At least, that's what the figures from the 2020 cybersecurity barometer show.

  • 91% have implemented a cyber resilience program or are considering doing so (12 points more than last year).
  • Sixty percent of them have taken out cyber insurance (1 percentage point more than last year).
  • Sixty-two percent are considering increasing their budgets for cyber risk protection, and 83% are ready to purchase new technical solutions.

Admittedly, pessimists will argue that the COVID health crisis, which occurred after this study was conducted, is likely to have an impact on organizations' willingness to take action, for budgetary reasons. Nevertheless, awareness and good intentions are there, with the prospect for CISOs of seeing cybersecurity issues better addressed in the medium to long term.

Let's make a difference with Tenacy!

Even if the road to superhero status still seems long, don't despair: the emerging trend offers you hope that you will be able to make better use of your skills and provide better protection for your business.

But making better use of your skills means, above all, finding (or rediscovering) the time to focus on what is essential and work efficiently.

How? First, by adopting a dedicated solution that allows you to:

  • automate whatever can be automated (calculating indicators, collecting information);
  • to be guided on a daily basis (runtask, formalization of the security program);
  • have the visibility needed to analyze its activity (security dashboards, evaluation tracking, control plans, etc.).

Did you know that such a tool exists to support you in your (super) CISO duties? A SaaS platform that is adaptable and collaborative, our cybersecurity management solution is the result of 15 years of experience in information system security consulting.

Much more than just a tool, Tenacy is the first solution dedicated to cybersecurity management. Comprehensive and designed by CISOs for CISOs, it transforms their daily lives in three ways:

  • Efficiency: time savings on time-consuming tasks with low added value
  • Visibility: 360° insight, thanks to clear, operational, and strategic indicators
  • Consistency: alignment between operations and objectives

‍

Contact us
Other articles

You may be interested in

6 acronyms for cyber compliance
Life as a CISO
ISO 27001, NIS, LPM, NIST CSF, PCI-DSS, NC: compliance in 6 acronyms

The cybersecurity industry, and particularly the field of incident response, is an environment where all kinds of acronyms flourish. It's so easy to get lost. Standards, directives, laws, processes... Let's take a look at the definitions of six acronyms commonly used in compliance that no one should be unaware of.

November 15, 2022
SSI dashboards: should we abandon them? - Tenacy
Life as a CISO
SSI dashboards: should we abandon them?

From design to formatting, not to mention the thorny issue of data collection, SSI dashboards make life difficult for CISOs. A complex environment, difficulties in engaging contributors, unsuitable tools... there are many reasons for the time wasted and frustration generated, to the point that some CISOs are almost tempted to give up. They therefore sometimes turn to predefined, technical dashboards provided by the multitude of technological solutions available on corporate networks.

What if the solution was to continue creating dashboards, but in a different way?

November 3, 2020
The challenges of cyber awareness
Life as a CISO
Cyber awareness: how to rise to the challenge?

While the ANSSI hygiene guide recommends raising user awareness of basic IT security best practices, the reality is enough to make CISOs tremble. According to the CESIN cybersecurity barometer established in January 2020, employees remain difficult to mobilize. 45% of companies believe that their employees do not follow the recommendations! So what solutions are available to CISOs to raise awareness and engage teams?

October 27, 2020