Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceSecurity Education & Training

The modern CISO: Mounting pressure, systemic risk and growing boardroom influence

By Lucia Milică, Bob Zukis
Boardroom
October 25, 2021

To say the past 18 months have been challenging for the Chief Information Security Officer (CISO) is something of an understatement. What started as a need to rapidly deploy and secure mass remote environments quickly evolved to mean supporting these environments in the long-term, not just for the company, but for and against the risks of the broader connected ecosystem.

At the same time, and at least partly as a result, this increasingly vast digital ecosystem faced a barrage of cyberattacks, both old and new, according to a study conducted by Proofpoint.

To make matters worse, cyber threats are not just increasing in number. The scale and scope of damage caused by these attacks has grown ever larger too. The SolarWinds, Microsoft Exchange and Colonial Pipeline attacks are just some of those to have recently highlighted the issue of systemic risk.

Once, such an attack may have led to downtime and loss for only the organization. Today, it can cast a much wider net. Disruption to one component in one organization can lead to breakdown, loss and interruption to numerous systems and services, potentially impacting the lives of millions of people.

All of these events have served to elevate the profile of the CISO. Once perceived as a more technical discipline, many are now realizing the role's importance in driving and enabling business strategy.

This changing role has brought added pressure — some believe too much. Over half (57%) of CISOs worldwide believe that the expectations of their superiors and colleagues are excessive.

Whether expectations are unrealistic or not, one thing is clear. The CISO now has a leadership voice. And they must use it to instill confidence at the highest levels of the organization, as the foremost executive on the front lines against the threat of systemic risk, reframing cybersecurity from a focus on protecting our organizations to one that enables them to thrive into the digital future.

The sprawling consequences of systemic risk

Systemic risk may be a familiar concept to some, but the complexity of today’s digital systems is introducing new systemic risks that are presenting unfamiliar threats to everyone.

Perhaps nothing exemplifies the scale of the task like the SolarWinds attack. It began with hackers adding malicious code to the company's software system. This was then unwittingly sent to SolarWinds' clients in the form of an update — clients that included numerous Fortune 500 companies and several U.S. Government departments, Homeland Security and the Treasury among them.

It ended with a full-scale international incident and sanctions imposed on the Russian government by the Biden administration.

Of course, no CISO wants to be at the heart of a diplomatic incident, but that is perhaps not the most pressing concern here. The New York State Department of Financial Services referenced the SolarWinds attack in its Cyber Insurance Risk Framework, noting that insurers must account for the systemic risk that occurs "…when a widespread cyber incident damages many insureds at the same time."

Insurers can pass some of that exposure back to their insureds, either through increased premiums or policy exclusions. But the foundational issue of understanding the economic impacts of these risks and effectively mitigating them still needs to be addressed, as most companies are largely self-insured for these losses. 

And it's far from the only cause for concern. Government bodies and officials are increasingly pointing the finger at the boardroom, potentially opening the door for greater litigation and increased fines, as well as highlighting the need for cybersecurity governance oversight at the board level.

In December 2020, Chief Justice of the Delaware Supreme Court Collins Seitz Jr. said that boards needed to "demonstrate credibly that they are thinking proactively about systemic risk." In Europe, fines for such breaches can reach the hundreds of millions. That's along with the significant negative impact on shareholder value that usually follows such penalties.

With the stakes this high, CISOs must use their increasing influence in the boardroom to ensure the C-suite is aware of the potential impact of systemic cyber risk, the areas of the organization most vulnerable to it and the tools and resources required to protect against it.

Making the business case for defense in depth

The elevated role of the CISO may invite greater pressure. But it also means that there has never been a better time to make the business case for greater investment in cybersecurity. Or, perhaps more importantly, to dictate precisely where that investment is focused.

We know that people are the biggest cyber risk to most organizations, with over 90% of successful cyberattacks requiring some form of human interaction. And we also know that security awareness training can reduce susceptibility to common threats such as phishing.

But despite this, little cybersecurity spending is focused in this area. Network and endpoint protections account for over 70% of cyber defense spending, with email protection and security awareness training making up just 10% and 2%, respectively.

This needs to change. People are at the heart of successful cyberattacks, and they must be at the heart of our defenses too. These defenses need to be viewed as a system in and of themselves.

Ongoing, adaptive and in-depth awareness training is just one part of an effective cyber defense. Cybersecurity teams must also implement clear best practice policies covering password hygiene, bring your own device (BYOD), unauthorized applications and more. They must have tools in place to monitor networks and data, detect and deter advanced threats and automate threat response to limit collateral damage caused by delays.

It is up to the CISO to communicate the importance of such a deep and broad defense and how the consequences of failing to implement one will likely stretch far beyond the boardroom.

KEYWORDS: boardroom strategies Chief Information Security Officer (CISO) cyber security initiatives data breach insider risk risk mitigation

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Lm

Lucia Milică is Global Resident CISO of the cybersecurity company Proofpoint, (Image courtesy of Milică)

Bob zukis

Bob Zukis is CEO at Digital Directors Network. He is a leading advocate for digital diversity in the corporate boardroom. (Image courtesy of Zukis)

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Enterprise Services
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Security Leadership and Management
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Technologies & Solutions
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Coding

AI Emerges as the Top Concern for Security Leaders

Half open laptop

“Luigi Was Right”: A Look at the Website Sharing Data on More Than 1,000 Executives

Shopping mall

Victoria’s Secret Security Incident Shuts Down Website

Laptop with coding on ground

Stepping Into the Light: Why CISOs Are Replacing Black-Box Security With Open-Source XDR

Gift cards and credit cards

Why Are Cyberattacks Targeting Retail? Experts Share Their Thoughts

2025 Security Benchmark banner

Events

June 24, 2025

Inside a Modern GSOC: How Anthropic Benchmarks Risk Detection Tools for Speed and Accuracy

For today's security teams, making informed decisions in the first moments of a crisis is critical.

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

From animal habitats to bustling crowds of visitors, a zoo is a one-of-a-kind environment for deploying modern security technologies.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • New Executive, New Perspective

    CISOs face mounting pressure: Here’s how to help

    See More
  • data-freepik1170x658v493863656.jpg

    Rising to the challenge of modern data security and growing privacy regulations

    See More
  • Chaim Mazal Security podcast news header

    The future of the modern CISO

    See More

Events

View AllSubmit An Event
  • July 17, 2025

    Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

    From animal habitats to bustling crowds of visitors, a zoo is a one-of-a-kind environment for deploying modern security technologies.
View AllSubmit An Event
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing