CSOs’ and CISOs’ responsibilities are very broad and highly dynamic. As technologies emerge, new schemes, scams and vulnerabilities pop up, CSOs and CISOs are challenged to rapidly respond, identify new issues and mitigate threats. Let’s face it: their plates are quite full. With the expanded threat environment and the continuously increasing number of information assets, CSOs and CISOs have become laser focused. What I find most interesting is that while the threat environment is expanding and the number of information assets continue to increase – budgets have not kept up. I do not know any CSO or CISO that has said "I have all the funding I need to protect my organization against cyber threats." If that has happened, it has to be very rare.

Given the lethargic economic conditions, increased global competition, and the general business environment, organizations still tigthen their budgetary belts. The trickle down implications have taken its toll on security budgets. While it may have begun with delaying new hires for the enterprise security department, some organizations have and continue to see staff reductions. Another common occurrence is the merging of security departments operating within a branch, division or sister company to one security department spanning those previously separate areas. And along with that reorganization comes staff reductions.  

An interesting comment was made recently while I was speaking on digital transformation. A female executive in the audience mused that high blood pressure and stress have now become occupational hazards for everyone involved in security. That is not far from the truth. With all of the new IoT devices, robots, wearable technology and more moving into the business environment, it is easy to see how the additional challenges could further raise blood pressures and stress levels.

CSOs and CISOs must open their vision and look at what is coming in the next three to five years. That requires a fair amount of online research and attending physical and virtual conferences. Once you determine the potential implications of all of this on security for your organization, you should estimate the risks and appropriate step to manage those risks. After all that work is done, analysis must be communicated to the organization so that other executives are aware of those risks, understand them and can plan and budget for them. YES – that is a substantial amount of work required, but your only other choice is to take a purely reactive approach. Surprise requests for budget increases do not go over well in any organization. In fact, they are a CLM, a Career Limiting Move!