Before COVID, cybersecurity was a concern for businesses everywhere. In fact, in Microsoft’s 2019 Global Risk Perception Survey, 57 percent of companies ranked cybersecurity as a higher risk than economic uncertainty and brand reputation or damage.
As COVID continues on, cybersecurity risks remain high. In April 2020, the World Health Organization saw a fivefold increase in cyberattacks on its staff and organization, and by the end of March 2020, Microsoft reports that every country in the world had seen at least one COVID-19 themed attack.
Looking ahead, what does all of this mean for the role of the Chief Information Security Officer (CISO)? Not only is it more important than ever before — with 61 percent of companies having someone in the role of a CISO — but the role has shifted since the start of COVID. According to Douglas Gladstone, Comhar Partners Managing Director, “The role of the CISO has greatly shifted to focus more efforts on remote work and business continuity. With an influx of more remote cyber threats, we will likely see an increased need for security training and more emphasis on supporting help-desk staff in providing virtual security assistance. To better manage continuity, a focus on patching remote systems via VPNs will likely take precedence.”
If you’re among the 39 percent of companies without a CISO, it’s time to consider who can best fill this role for your organization. With the workforce going remote, more attacks on the rise, and the need to evolve company technology in order to stay competitive, the person in this role must be able to manage a unique set of security challenges.
Consider the skills today’s CISO needs to find the best candidate for your company.
Securing the remote workplace
The vitality of the CISO function has become more apparent for nearly every business as they shift to remote, which brings its own set of security challenges. No longer does risk need to be contained within the four walls of the office. Now the CISO must secure employee devices and accounts across the country or even around the world.
As such, the person in this role needs to be familiar with developing and updating policies and procedures company-wide, along with applying them and tracking success. They also need to understand the landscape of tools like VPNs and Network Access Control and be able to implement them successfully to ensure the company is never at risk.
More importantly, they need the team to continually manage the various tools, policies and measures put in place. This is why hiring a CISO who can take the lead with hiring in-house employees or an outsourced support team to manage new risks as they arise is critical.
“Security solutions are extremely crucial especially for the remote workforces,” says Karen Turrini, Comhar Partners Managing Director. “In addition to sophisticated security breaches, simple malware is detected often as a result of the remote workers. It’s estimated that the remote workforce will continue with 50 percent remote and 50 percent in corporate offices when this pandemic subsides. Companies will demand CISO expertise more than ever.”
A successful CISO will be incredibly tech-savvy and adaptable. Someone in this role needs to be able to work around the complications and additional security concerns surrounding the ever-increasing remote workforce.
Maintaining cybersecurity as a cultural mindset
The job of a CISO isn’t just to make sure the company is secure and the IT team is doing what it needs to. With 90 percent of data breaches caused by human error, a critical part of this role is developing a culture of security and nurturing this among the entire company, from their IT team to sales, marketing, HR and operations.
The CISO needs to share their knowledge of security with the whole team, and make sure it’s accessible and easily understood by all team members—not just those proficient in security and IT. For example, the person in this role might implement strong password policies company-wide and develop ongoing and engaging cybersecurity training.
Employees are one of the biggest risks for organizations, so tasks like educating team members about phishing and ensuring everyone is using two-factor authentication are key elements of the modern CISO.
Additionally, there should be open communication with all departments so that employees feel comfortable reporting threats as soon as they arise. The whole team needs to be able to work together in conjunction with IT and the security team to build a resilient and secure organization.
Enabling competitive advantages
The role of the CISO is to be a security expert as the company evolves. As Justin Somaini, Chief Security Officer of SAP, says, “Digital technologies and connectivity have infused every aspect of the business. This elevates risk, but it also elevates the value and importance of the cybersecurity function. The CISO increasingly has a seat in the executive suite because security is no longer just about risk; it’s also about competitive differentiation.”
Security isn’t just about keeping your company safe. Now, it’s about securing the product that you offer, along with customer data, paywall information, and much more. As the role of technology in business expands, so does the role of the CISO.
Looking at 2020 and COVID, however, it’s becoming even more challenging for the CISO to enable this competitive advantage while maintaining security. As Jack Mannino, CEO at nVisium, explains to Security Magazine, “The challenge for many organizations is continuing to accomplish their security must-dos with significantly fewer resources. Relying on a pool of trusted security partners is critical, as niche skills or deep expertise may come from external sources when internal headcount is constrained.”
This is why the role of the CISO cannot be underestimated. Despite a lack of resources, their authority, experience and expertise can keep the organization safe as they expand in an uncertain world.
The evolving role of the CISO
The CISO is more critical now than ever before. Companies need to not only maintain normal security measures, but they also need to secure a remote workforce, nurture a security-minded company culture and leverage the CISO’s expertise as the company evolves. The right person in this role will be able to keep the company and its customers safe, which in turn affects every other area of the business. This makes the CISO a key role for every organization to consider as they expand into the “new normal” and manage the risks that come with it.
This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security Magazine. Subscribe here.