The CISO, a superhero with thwarted powers.

CISO superheroes? CISOs are under stress. These are the findings of a study carried out by Vanson Bourne on behalf of Nominet, involving 800 information systems security managers in the USA and Great Britain. Although France was not included in the study, it seems reasonable to assume that the situation there is similar. Why the stress? Quite simply because the CISO has taken on a superhero mission, the superhero CISO, without having the appropriate resources at his or her disposal.

Share

Why CISOs are superheroes

In the comics, the superhero is the one who fights the threats that ordinary mortals are powerless to prevent. In the corporate world, the CISO fights a very special kind of threat. Cyber threats are still not sufficiently recognized by employees, or even management, even though the battle against them is becoming ever more complex.

The challenges of cybersecurity are considerable

It's true that a CISO's day-to-day work doesn't involve preventing the world from collapsing. However, his or her responsibility is weighty, given the seriousness of the consequences of a cyber-attack: production slowdown or stoppage, website unavailability, delivery delays and contractual setbacks, damage to the company's image...

The figures on this point are edifying, since already in 2019, 65% of companies had experienced an attack, with, in 57% of cases, an impact on business (source: CESIN Corporate Security Barometer-January 2020).

All CISOs are also aware that their organization is at risk, whatever its characteristics, as experience shows that attacks affect all types of structure, sometimes with disastrous consequences. To take just one example, Lise Charmel went into receivership after a two-month shutdown and a loss of several million euros.

The business is increasingly complex

Even if the scope of the CISO's activities depends largely on the size and organization of the structure employing him/her, the scope of his/her missions remains considerable. These cover all or part of the five phases identified in the NIST Cybersecurity Framework (identify, protect, detect, respond, recover), which appears to be a relevant tool in cyber-risk management.

But the real complexity of the business lies not only in this perimeter, but also in the fact that threats are constantly on the increase, and now come in all shapes and sizes.

In concrete terms, this is illustrated by :

  • the variety of attack vectors - phishing or spear-phishing (79% of attacks), president scams (47% of cases), exploitation of a vulnerability (43%) but also connection attempts, denial of service attacks, rebound attacks via a service provider, not forgetting cases of deliberate disclosure of information;
  • the diversity of the consequences of attacks, ranging from identity theft or infection by malware or ransomware, to data theft, cryptojacking or website defacement;
  • the development of "risky" practices, such as the transition to cloud computing, shadow IT, etc.

Conclusion? The CISO is supposed to see it all, know it all, anticipate it all, avoid it all, and - if the incident cannot be avoided - fix it all. In other words, to play the role of security superhero, without necessarily being given the means to achieve this ambition.

The superpowers of the CISO are still ignored

The CISO profession, while arousing the curiosity and desire of recruiters today, is still a "new" job. This is undoubtedly one of the reasons why many organizations have yet to fully appreciate the potential of the position.

The challenges of cybersecurity are still poorly understood

While most companies have taken the step of adopting basic malware protection, the fact remains that organizations as a whole are still lagging behind when it comes to cybersecurity.

  • Only 39% say they are sufficiently prepared for large-scale cyber-attacks.
  • Of the 89% of companies that use the cloud, 55% choose the public cloud, which means they have no control over the subcontracting carried out by the hosting provider, and cannot audit or control the use made by employees.
  • More than 40% of companies in 2019 were confronted with negligence or a handling/configuration error on the part of an employee.

The conclusion is clear: there's still a long way to go, and CISOs still have a lot of evangelizing to do.

 

The CISO: superhero or pest?

When an issue is poorly understood, the related professions are, in turn, poorly understood or even poorly perceived.

This is precisely what a number of CISOs are experiencing, perceived as nice geeks in the best-case scenario, and, in the worst-case scenario, as "troublemakers" who slow down or block projects.

An IDC study carried out by Devoteam shows that in over a third of organizations, security is still an "afterthought " when it comes to new projects and initiatives.

In other words, two times out of three, the CISO is the expert we forget... or even carefully avoid consulting!

What if CISOs were to deploy their powers?

ISSMs can rest assured: even if the job is both complex and poorly understood, things are moving!

Cybersecurity gains ground

It's true that organizations still have a long way to go when it comes to cybersecurity. But let's see the glass half-full: they are making progress! At least, that's what the figures from the 2020 Cybersecurity Barometer show.

  • 91% of them have set up a cyber-resilience program or are considering doing so (up 12 points on last year).
  • 60% have taken out cyber-insurance (up 1 point on last year).
  • Sixty-two percent plan to increase their cyber-risk protection budgets, and 83% are ready to acquire new technical solutions.

Of course, the more pessimistic will argue that the COVID health crisis, which arose after this study, is likely to have an impact on organizations taking action, for budgetary reasons. The fact remains, however, that awareness and good intentions are there for all to see, with the prospect for CISOs of seeing cybersecurity issues better taken into account in the more or less long term.

Let's change things with Tenacy !

Although the road to superheroism may still seem long, don't despair: the emerging trend offers you the hope of being able to exploit your skills to the full, and ensure better protection for your business!

But getting the most out of your skills means, first and foremost, (re)finding the time to focus on the essentials and work efficiently.

How can we do this? Firstly, by adopting a dedicated solution that enables you to :

  • automate what can be automated(indicator calculations, data collection);
  • day-to-day guidance (runtask, formalization of safety program);
  • have the visibility needed to analyze its activity(safety dashboards, assessment follow-up, control plans, etc.).

Did you know that such a tool exists to support you in your (super) CISO duties? Saas platform, adaptable and collaborative, our cybersecurity management solution is the result of 15 years' experience in information system security consulting.

Much more than a simple tool, Tenacy is the first solution dedicated to cybersecurity management. Designed by CISOs for CISOs, it transforms their day-to-day work in three ways.

  • Efficiency: save time on time-consuming, low-value-added tasks
  • Visibility: 360° visibility, thanks to clear operational and strategic indicators
  • Coherence: alignment between operations and objectives
Contact us