CISOs are Heroes

CISO are often overlooked when it comes time for accolades and awards. They aren’t always invited to Career Day at the local elementary schools. During quarterly meetings, they are not recognized as Employee of the Month. Heck, they are having a good day if they are not being held legally accountable by the SEC for a cyber intrusion that was out of their control. It’s not easy being a CISO. Every day, 24/7, they protect a company’s stock price, daily earnings, investments, success, and future growth by securing the people, processes, and technology that enable the company to operate. They are heroes.  

However, like teachers, veterans, doctors, nurses, police officers, first responders, and engaged parents around the world that balance, sacrifice, and strive for a greater good, CISOs do not need or want the attention. They just want to make a difference. After all, attention often only comes from all of the wrong reasons: media report of a cyber intrusion, locked files from ransomware, a website that has been taken offline from a DDoS attack. If you do not notice what a CISO does on a daily basis, it often means they are doing something right. They are protecting the company from harm. And they make it look easy.

Of course we all know it is not. When you think of all of the things that could possibly go wrong, the list is endless. Yet, for CISOs the list is itemized, inventoried, assigned a level of risk, and mitigated with a process or solution. They follow a risk management framework that transcends the IT department and is integrated into every level of the business, including the boardroom.  

CISOs wear many hats: technology expert, security guard, teacher, leader, auditor, and budget hero. They understand the company’s network architecture, what devices are connected to the network, what software runs on it. Like the physical blueprint of a building, the CISO has all entrances and exits of the network marked on a network diagram and locked through security controls like two-factor authentication, SSO (single sign on), logs, and end-point and network detection monitoring software. When an unauthorized device or user appears on the network or someone downloads and uses software that has not been approved for use by the company, the CISO has systems and software in place to detect it.  

The CISO makes sure the company is secured like a billionaire’s estate, providing defense-in-depth to ensure no intruders gain access to prized possessions or cause damage to personal space. Even with all of these measures in place, the CISO knows the quickest way in is through the front door with a stolen password. Training and education are endlessly required to teach employees how to recognize phishing and social engineering attempts. They realize that no one can protect the company alone, and they inspire all employees to be on the lookout and report suspicious activity. The CISO leads the call for vigilance and awareness that touches every aspect of the business.

It is with this same dedication to vigilance and awareness that the CISO helps guide company-wide strategy in the boardroom. They educate leaders about the ever-changing and shifting types of threats and risks the company faces. They propose solutions to mitigate these threats that make financial sense. These solutions are woven into the company’s overarching strategy for success. The Board knows very well that protecting the brand and its assets is critical; an investment in risk mitigation and other types of cybersecurity software can save the company millions of dollars down the line. The CISO advises on the best path forward, adding clarity to the clutter of choices. When explaining the best solution, the CISO needs to think outside of the box with creative answers to complex cyber problems. What works, what doesn’t work, and how do you prove it?

The CISO has a unique opportunity to guide investments and help the company save money in ways it has never considered. CISOs can use a risk mitigation SaaS (software-as-a service) app like X-Analytics to help facilitate this conversation by connecting dollars to risk. You can say business interruption from ransomware is a severe risk. But when you support that claim with financial data, for instance, that says the company would lose $2.5M a day without the processing software needed to fulfill orders, the business lens becomes clearer. The lost dollars connected to cyber exposure become real, as does the threat. CISOs then have the advantage of the high-level overview of all company assets, hardware, software, and procedures. They can apply this business lens to everything to assign a dollar to the amount of risk across the company presented by cybersecurity threats. It is also helpful to speak in percentages to underscore the increased severity of a risk. For example, using X-Analytics, they would have the data points to say, the cybersecurity threat of data breach through point-of-sale-intrusion has increased 75% in the last quarter. We have 45% cyber exposure for loss in this risk category. If we prioritized adding more mitigation controls within network monitoring and defense, we would decrease that vulnerability to 5% and potentially save $65M. These are the words leaders on the board like to hear.

Like any job, the CISO doesn’t always lead the glamorous life found in the boardroom. The CISO is responsible for leading Governance, Risk, and Compliance (GRC) efforts by working closely with auditors to earn certifications that show the company meets or exceeds standardized guidelines to securely conduct business. This opens opportunities with the government and other corporations who value the seal of validation and approval these certifications represent. On top of helping secure new business and continue current business contracts, the GRC process helps ensure the right cybersecurity framework and guidelines are in place. It provides a unique opportunity to prove adherence to these foundational principles as well, which is hard work and not always easy to do. It can be like herding cats. Yes, we say we do this but do we really do it? And that is what matters when you are trying to protect a company against cybersecurity threats. Are the cybersecurity SOPs (standard operating procedures) enforced? These certifications help show they are.  

Even though the CISO does not always live the life of glamor and may not get the appreciation the role deserves, the CISO’s extraordinary efforts do not go unnoticed. They are evident in the very fabric of the business—the people, processes, and technology that join together to accomplish a mission. The CISO makes sure they are all connected and protected against threats to harm the business. So thank a CISO the next time you meet either online or in the office. Bring them a coffee, put an apple on their desk, nominate them for Employee of the Month, and just let them know you appreciate what they do. At the very least don’t click on that phishing link. They are always busy saving the company or your job from the need for disaster recovery.