Shifting the Blame: How CISO Empowerment Can Create a Security-Focused Organization


In the world of cybersecurity, breaches are inevitable. If it hasn’t happened to your business, it’s likely you know one that has been victimized. According to the Identity Theft Resource Center®, the number of data breaches has been increasing year over year, with 3,205 publicly reported breaches in 2023. That’s up 78% from 2022. Of these incidents, the Verizon 2024 Data Breach Investigations Report found that approximately one-third involved ransomware or some other extortion technique.

As if these incidents didn’t wreak sufficient havoc on their victims (data and revenue losses, tarnishing reputations, etc.), they are also igniting some unhealthy debates within businesses and across industries. These are commonly referred to as the blame game. That’s when, in the wake of an incident, the organization starts exhausting an inordinate amount of time to find out who was responsible rather than teaming up to determine and fix the root cause of the breach.

The reality is far less cut and dry. Do CISOs need to step up and accept responsibility? Of course – after all, this is ultimately their job. But it’s a job that can’t be done alone. Security is a team sport, and executives and directors across the company must collaborate with the CISO to balance security with other important priorities. It’s on the CISO to facilitate those relationships and crowdsource knowledge that takes the lessons learned about security posture to greater heights.

But again, the CISO cannot do this alone. They will also need CEOs to help drive positive action throughout the business. We saw an example of this recently when Microsoft CEO Satya Nadella confirmed the company’s plans to link executive compensation to security performance. This followed a string of security incidents and comments from the Department of Homeland Security’s Cyber Safety Review Board, which deemed the company’s security to be inadequate and in need of an overhaul.

But a CEO’s involvement shouldn’t only come as a last resort. CEOs should take a proactive stance to highlight that security is also in the business’s best interest and can be balanced with the overarching goals of the business. With the CEO on board, the spotlight then shifts back to the CISO who must then begin work to create a security-focused organization. Here are some key areas that must be a priority.

Responsibility and awareness

While security leaders can provide air cover to the business to detect and respond to security incidents, prevention of security incidents requires a lot of collaboration with other teams to implement controls. CISOs must begin by building bridges that connect the most important security initiatives to the business leaders and technology teams and then working with those groups to put these initiatives in place.

This is an area where CEOs can help. According to Accenture’s The Cyber-Resilient CEO research report, a majority (96%) of CEOs understand the importance of cybersecurity, acknowledging that it is a key enabler for organizational growth, stability, and competitiveness. Knowing how vital this is to the business, CEOs should step up to support their CISO by highlighting cybersecurity as a key risk to the business, the value of incorporating security initiatives throughout the organization, and how this can help drive company success.

Education

Next comes education. Never assume that all employees are familiar with the latest threats and processes. While all chapters of the security handbook are deeply ingrained into a CISO’s everyday life and are aligned with the latest threats, that is not the case for the vast majority of the company because it’s not part of their job. Just as security people don’t keep up with the latest financing and accounting principles, you cannot ask everyone to be a security expert.

Take the time to educate employees on the threat landscape, best practices, and the exact steps they must follow daily to ensure that they personally AND the business are taking proactive steps to be secure. Here are some examples:

  • Password manager: Passwords are more important than ever before, and managing them is a major undertaking when you consider the average number of passwords employees use today—according to the 2024 NordPass survey, the average employee uses 87 passwords for work purposes. Password manager solutions generate complex passwords, store them all in a secure location, and update them regularly, something many employees fail to do on their own, even when prompted by the security team.
  • Multi-factor Authentication (MFA): In today’s day and age, password managers alone are insufficient. Employees must also use MFA, which requires each person to provide two or more verification factors when accessing an application, an online account, VPN, and more. Make it a point to mandate that employees use MFA for every single account.
  • Phishing: While a CISO may know how to spot phishing attacks, not all of your employees have this same level of awareness. Hold mandatory cybersecurity training sessions that show people how to recognize phishing emails and spot red flags. More important than spotting these attacks, however, is calling for everyone to report each occurrence to the security team. Many of us are guilty of spotting a suspicious email, for example, and while deleting it, we fail to take it one step further and report it to the security team so they can get ahead of the scam and prevent the rest of the employee base from getting tricked.
  • Emerging tactics: Be sure to alert employees to the latest tactics being used by attackers. A good example is social engineering campaigns, where attackers impersonate colleagues and executives, making unusual requests to share sensitive data or transfer money.

The cybersecurity plan & board-level buy-in

While communication with employees is essential, CISOs must also create a comprehensive cybersecurity plan and have the opportunity to present it to the board to create awareness on critical business risks, gain input, and foster education. The goal is to demonstrate the company’s security commitments and progress and enlighten critical stakeholders on the threats the company faces and what the CISO is doing to mitigate risk. A solid cybersecurity plan should include essential information that the board needs to be aware of regarding how the CISO is mitigating cyber risk. Some key elements include:

  • Security Incidents and the Business Impact: The board needs to be aware of what attacks the business is facing and how the business is responding. Not only in how they are actively detecting, containing, and recovering from the attacks but also in what the company is doing to fix key issues discovered. If there is any incident that will be material to the company, the board needs to be in the loop and able to provide input.
  • Emerging Threats and How the Business is Mitigating Them: Present the board with a detailed account of the top near-term cyber threats the company will be monitoring, call for all parties to be vigilant for the unexpected (and how the unexpected should be expected) and make it crystal clear who internally has responsibility for implementing safeguards and monitoring for cyber threats.
  • Current Initiatives and Status: Review the company’s current security footprint and recommendations for future investments, which clearly explain and justify these expenses. The reasons could include combating emerging threats, the need to secure the company’s growing remote workforce, etc.

Clear ongoing communications

While board and executive meetings like this are vital, just because a CISO has a plan and has presented it to key stakeholders doesn’t mean their communications end there. The CISO should commit to clear ongoing discussions with leadership and the board, including details on how cybersecurity goals are aligned with business objectives, updates on the latest threats, and how the company is prepared to mitigate each. At the same time, be sure to use this time to reinforce the message that cybersecurity is a shared responsibility and not a one-way street. CEOs and board members must be active listeners while providing feedback and asking questions.

Know your audience

One vital facet of a CISO’s job that doesn’t garner enough attention is communication, and to be effective, how their communications must vary depending on the audience. For example:

  • Executive leadership: Here, your messages must focus on how cybersecurity impacts finances, investors, reputation, and competitive advantage.
  • Legal teams: Communications should center on regulatory concerns, the risks that the actions you are proposing can address, and the implications that could result from inaction.
  • Technology teams: Embrace multi-linguistic communications to effectively communicate with each business unit in their unique language. This entails detailing the technical risks and outcomes that will result if specific threats are not addressed (e.g., downtime for the product). To be most effective, tie in key metrics or impacts that matter to each stakeholder.
  • Employees: They are your first line of defense, so all communications should be educational, easy to understand, and prescriptive while clearly articulating their role in keeping the company secure.

Comments