CISO Challenges for Implementing Cybersecurity - Rajarshi Bhattacharyya, Chairman and Managing Director, ProcessIT Global
Growing dependency across industries on digital technology and solutions for business benefits has unfortunately created cybersecurity challenges too. The expanding threat landscape coupled with increasing frequency and sophistication of cyberattacks are a cause of constant nightmares for Chief Information Security Officers (CISOs).
According to WEF Global Cybersecurity Outlook 2022, working in cybersecurity can be extremely stressful and taxing. The Report says, the average turnover for CISOs is only twenty-six months, which is just over two years. More than 88 percent of security professionals report being moderately or tremendously stressed, with 48 percent saying work stress has had a detrimental impact on their mental health.
Ever expanding attack-surface
In comparison to the simple computing systems of the 90s, today’s enterprise attack surface is growing exponentially. Rapid increase in hybrid working culture, BYOD adoption, proliferation of IoT devices and migration to cloud are together creating innumerable ways for cyber-attackers to enter into any organisation’s network. Remote working employees connected to various kinds of devices that may not be secured can put the entire network at risk, increasing the attack surface further. There are also threats, which can bring down operational efficiency and brand value besides increasing customer churn. CISOs have to address attacks across all mediums, such as mobile phones, web, social media platforms and other attack surfaces to ensure data security.
Furthermore, today, even the digital supply chain is at risk as hackers see huge returns in investing here, leading to further rise in threats. According to Gartner, 45% of organisations globally will have experienced attacks on their software supply chains by 2025, which will be three-fold increase from 2021.
Too many products and solutions to choose from
Whenever CISOs are seeking a security solution to solve a specific issue, they are met with over 1,000 vendors, leading to confusion while choosing the right one. The value propositions do not provide a clear and complete picture of the solution and what it can address. CISOs do not want to manage too many security products but prefer a holistic solution provided by a few vendors only.
Furthermore, many of them neither address the challenges of new attack surfaces nor have solutions that can be integrated into the overall processes. Integration of the solution with AIOps and other IT systems is a serious concern for the CISO. The changing architecture is providing opportunities for more vendors to step in, adding to the market noise.
With new risks and evolution of ransomware and other attacks, it is crucial for the CISOs to continuously upgrade the products and solutions to address them. Ongoing maintenance, regular audits and other time and resource consuming exercises have to be also executed by the CISOs, adding to their stress.
Lack of Awareness and Inhouse expertise
Lack of cybersecurity awareness and poor security practices among employees can turn them into easy targets by cybercriminals who are always on the prowl. Secondly, even though CISOs have begun to leverage AI and other new-age technologies in Security Operations Centres (SOCs) for addressing cyber-attacks, several limitations still exist due to lack of security talent. In a survey conducted this year by global IT Governance firm ISACA, 60 percent of the organisations in India revealed they have vacant cybersecurity positions and 42 percent said their organisation’s cybersecurity team is understaffed.
This again puts additional pressure on CISOs as they continue to source and recruit right candidates for the vacant positions.
Despite cybersecurity gaining more attention from the C-Suite, the budgets allocated for it does not match the SOC requirement, causing distress to CISOs. Business leaders should know cybersecurity increases the business, customer and market values for the organisation when implemented appropriately.
For CISOs to succeed in their cybersecurity implementation, they have to maintain the right team, keep up with latest tools and technologies, collaborate with peer groups, educate all stakeholders, get C-Suite support and ensure regulatory compliance.