When a group of CISOs discussed what plagues them the most̅, some of the major concerns that surfaced revolve around acquisitions, balancing their executive team’s “need to know”, optimizing focus on critical initiatives, GDPR, and ransomware, amongst others.
There’s no shortage of think pieces telling CISOs what they should be concerned about, often written by magazine and internet staff writers. And although much-discussed issues like staff shortage and risk mitigation are at the top of the list of every IT security leader’s challenges, it is refreshing to hear directly from your peers about those pressing issues that remain overlooked or unsaid. Bill Malik, Vice President of Infrastructure Strategies for Trend Micro and Certified Information Systems Auditor (CISA) sat down with a dozen IT security leaders to discuss what is occupying their time—in order to shine a light on what worries CISOs most.
The high pace of acquisitions
Because the business environment in constantly changing, many CISOs are forced to deal with this challenge at the same time as they deal with cybersecurity shifts —leading to one third of those interviewed citing the high pace of acquisitions as a significant source of risk. This may be because information security resources are often consumed before, during, and after an acquisition. Even before the procurement, the InfoSec team must verify the integrity of the target environment’s IT infrastructure. This is usually a strenuous undertaking that is regularly performed under strict deadlines and bound by the terms of an NDA. A number of interviewees reported an acquisition every six weeks over the past two years, leaving little room for error and requiring IT security leaders to tirelessly ensure all team members stay on the same page and practice open communication.
The ongoing challenge of focus
Although the task of matching the executive team’s need to know with the managerial desire to enhance team focus on critical initiatives seems like a given, those interviewed gave some interesting insight on the subject. External pressure from the boardroom can often lead to micromanaging of the IT security team, even from the most self-effacing CISOs. This incongruous focus can distract the Board and the C-suite from their primary missions, and frustrate those doing the job. Malik reminds CISOs about the importance of communication within your team, suggesting the adoption of a newsletter. “This document provides the status for ongoing projects, notes about top performers, assessment of newly discovered vulnerabilities, and pointers towards effective risk mitigation the leadership team can bring to their respective operational areas”, says Malik. “When a Board member has a question for the team, the CISO can intercept it and post a response through the newsletter.”
Communication is key
From acquisitions and team management to BYOD policies, GDPR compliance, and the looming concern of BEC attacks, there’s plenty to keep CISOs up at night. But Malik makes clear that the one of the most vital tools to mitigate risk is simple communication. An open line of information between IT security leaders and their teams, across their peers, as well as throughout the cybersecurity industry as a whole helps CISOs focus on the latest threats, technologies, and insights. Read What Worries CISOs Most In 2019 for more awareness into the threats and worries CISOs face and how you can quell them.