Why CISOs are superheroes
In the comics, the superhero is the one who fights the threats that ordinary mortals are powerless to prevent. In the corporate world, the CISO fights a very special kind of threat. Cyber threats are still not sufficiently recognized by employees, or even management, even though the battle against them is becoming ever more complex.
The challenges of cybersecurity are considerable
It's true that a CISO's day-to-day work doesn't involve preventing the world from collapsing. However, his or her responsibility is weighty, given the seriousness of the consequences of a cyber-attack: production slowdown or stoppage, website unavailability, delivery delays and contractual setbacks, damage to the company's image...
The figures on this point are edifying, since already in 2019, 65% of companies had experienced an attack, with, in 57% of cases, an impact on business (source: CESIN Corporate Security Barometer-January 2020).
All CISOs are also aware that their organization is at risk, whatever its characteristics, as experience shows that attacks affect all types of structure, sometimes with disastrous consequences. To take just one example, Lise Charmel went into receivership after a two-month shutdown and a loss of several million euros.
The business is increasingly complex
Even if the scope of the CISO's activities depends largely on the size and organization of the structure employing him/her, the scope of his/her missions remains considerable. These cover all or part of the five phases identified in the NIST Cybersecurity Framework (identify, protect, detect, respond, recover), which appears to be a relevant tool in cyber-risk management.
But the real complexity of the business lies not only in this perimeter, but also in the fact that threats are constantly on the increase, and now come in all shapes and sizes.
In concrete terms, this is illustrated by :
- the variety of attack vectors - phishing or spear-phishing (79% of attacks), president scams (47% of cases), exploitation of a vulnerability (43%) but also connection attempts, denial of service attacks, rebound attacks via a service provider, not forgetting cases of deliberate disclosure of information;
- the diversity of the consequences of attacks, ranging from identity theft or infection by malware or ransomware, to data theft, cryptojacking or website defacement;
- the development of "risky" practices, such as the transition to cloud computing, shadow IT, etc.
Conclusion? The CISO is supposed to see it all, know it all, anticipate it all, avoid it all, and - if the incident cannot be avoided - fix it all. In other words, to play the role of security superhero, without necessarily being given the means to achieve this ambition.
The superpowers of the CISO are still ignored
The CISO profession, while arousing the curiosity and desire of recruiters today, is still a "new" job. This is undoubtedly one of the reasons why many organizations have yet to fully appreciate the potential of the position.
The challenges of cybersecurity are still poorly understood
While most companies have taken the step of adopting basic malware protection, the fact remains that organizations as a whole are still lagging behind when it comes to cybersecurity.
- Only 39% say they are sufficiently prepared for large-scale cyber-attacks.
- Of the 89% of companies that use the cloud, 55% choose the public cloud, which means they have no control over the subcontracting carried out by the hosting provider, and cannot audit or control the use made by employees.
- More than 40% of companies in 2019 were confronted with negligence or a handling/configuration error on the part of an employee.
The conclusion is clear: there's still a long way to go, and CISOs still have a lot of evangelizing to do.
The CISO: superhero or pest?
When an issue is poorly understood, the related professions are, in turn, poorly understood or even poorly perceived.
This is precisely what a number of CISOs are experiencing, perceived as nice geeks in the best-case scenario, and, in the worst-case scenario, as "troublemakers" who slow down or block projects.
An IDC study carried out by Devoteam shows that in over a third of organizations, security is still an "afterthought " when it comes to new projects and initiatives.
In other words, two times out of three, the CISO is the expert we forget... or even carefully avoid consulting!
What if CISOs were to deploy their powers?
ISSMs can rest assured: even if the job is both complex and poorly understood, things are moving!
Cybersecurity gains ground
It's true that organizations still have a long way to go when it comes to cybersecurity. But let's see the glass half-full: they are making progress! At least, that's what the figures from the 2020 Cybersecurity Barometer show.
- 91% of them have set up a cyber-resilience program or are considering doing so (up 12 points on last year).
- 60% have taken out cyber-insurance (up 1 point on last year).
- Sixty-two percent plan to increase their cyber-risk protection budgets, and 83% are ready to acquire new technical solutions.
Of course, the more pessimistic will argue that the COVID health crisis, which arose after this study, is likely to have an impact on organizations taking action, for budgetary reasons. The fact remains, however, that awareness and good intentions are there for all to see, with the prospect for CISOs of seeing cybersecurity issues better taken into account in the more or less long term.