A v-CISO’s Take on the 5 Issues Facing Cybersecurity
A v-CISO is an on-demand consultant with a company’s leadership team with a good vantage point for spotting security issues
In just 20 years, we’ve seen the cybersecurity field grow from virtually non-existent into a $120 billion industry. But no matter how much it grows, it still feels like the bad guys are always two steps ahead. Why? Because our adversaries are, in fact, at an advantage.
This advantage has less to do with our opponents’ skills or expertise than it does with the way in which we, as a society, respond to the threat landscape. Our culture is not ready to put in the work and money necessary to level the playing field.
I have a particularly unique vantage point on this issue because my job as a virtual chief information security officer (v-CISO) has put me front and center at some of the most prominent businesses in America—with a view that has included the good, the bad and the ugly.
If you’re unfamiliar with the term v-CISO, you’re likely not alone. The role is relatively new. Born out of a growing need for hard-to-find, seasoned security professionals, a v-CISO is an on-demand consultant who serves alongside a company’s leadership team, engaged in the design and execution of the organization’s cybersecurity strategy.
Given the fast-changing threat landscape, the need to have an experienced leader at the helm of a company’s security program is more important now than ever. Unfortunately, many organizations are not in the position to hire another executive to join their C-suite, which is why the v-CISO has become so valuable. Having one allows companies with smaller budgets or immature security programs to hire an on-demand chief information security officer whose deep expertise supports their organization amid one of the largest skills gaps in recent history.
Throughout my decades-long experience in the field, I’ve learned a thing or two about the challenges facing the cybersecurity industry. Steve Jobs once said those within the relatively young tech industry have limited diverse experience and therefore a narrowed perspective, leaving them with linear solutions. A v-CISO is an insider with an outsider’s perspective—someone who can connect the dots and identify solutions that otherwise are not immediately apparent to others within the organization.
The good news is everything is fixable, with the right perspective. Here’s a closer look at the five issues holding the cybersecurity industry back (and, how we can fix them):
Manpower
It’s no secret that the cybersecurity industry is short of talent. According to Cybersecurity Ventures, not only has the industry witnessed an incredible 35-fold growth in 13 years, more than 3.5 million jobs are expected to go unfilled by 2021. The fallout is more than just unfilled jobs. It’s putting a real strain on current employees, causing premature career burnout and forcing employers to staff positions with underqualified personnel.
Far too often, I’ve worked with companies that have staffed critical security functions with employees who are in over their heads. There simply aren’t enough professionals, at all levels.
The search must be widened. Soft skills are equally as or more important than technical skills. While cybersecurity has significant support from—and influence on—the IT function of an organization, it is critical that organizations recognize that the CISO must connect with and be respected throughout the business itself. The abilities to communicate, partner and lead throughout the organization are critical for the security professional, particularly the CISO. Focusing talent selection only on those with the “right” technical skills will result in a misguided selection. The CISO must be capable of functioning in the realm of business and being a good ambassador for those topics that will affect every aspect of the business.
While higher-ed programs are opening up, we are still a few years away from the influx of graduates who will begin to fill the skills gap. However, that still won’t solve the issue of vacant leadership positions, which is why organizations should think about outsourcing. A good outside firm can fill the gap until the industry catches up.
Firms staffed with personnel who not only understand security but also have operational experience and can make good business decisions should be the industry goal. Qualified CISOs (and their virtual counterparts) should understand how a business functions in all areas, including finance, product development, sales, procurement and human resources, and have industry-specific expertise. The only way a cybersecurity program can be effective is if it is baked into every facet of the business, and that requires a certain level of experience in all areas.
Budget
Unlike Europe and many other markets around the globe, the United States doesn’t spend nearly enough on cybersecurity. It’s a cultural issue that has bled into both the public and private sectors, and it’s why we are seeing so many major breaches. For many, if a business function doesn’t offer a visible return, it’s not a priority—at least not until a company gets audited or experiences a breach. This way of thinking is rampant in the United States and I’ve seen it firsthand, over and over.
At the bare minimum, the cybersecurity spend should amount to 3 percent to 4 percent of a company’s overall budget. If it’s less, it’s usually a sign that the company is just checking boxes and not taking the security of their organization seriously. And, unfortunately, there will be problems if the budget isn’t addressed quickly.
Focus
Despite state-of-the-art advances in technology, the United States is no more secure than it was decades ago. The reason is simple: We are too focused on the shiny, new technologies and forget that people and processes are truly at the heart of cybersecurity. Today’s distractions include artificial intelligence, blockchain and machine learning, among many other new technologies. All will be great tools in the near future, but they are not an acceptable substitution for a comprehensive cybersecurity program that focuses on modifying people’s behavior toward technology.
Organizations must understand their risks, establish a comprehensive plan based on those risks and execute the plan continually. The plan must also be re-evaluated regularly. It’s not easy, which explains why building and maintaining an effective cybersecurity program often falls to the bottom of a corporate to-do list.
A common trend I see as a v-CISO working across a variety of industries, is that companies are solving the wrong problems. Once I get into the trenches with their teams, I find out that they have not established a risk-based approach to identify, prioritize and solve their problems, which is the most important step in the process. Once a company has done so, they can apply their resources in an effective manner, rather than spreading their resources thin and potentially leaving valuable assets under protected.
Accountability
Until cybersecurity is treated as a business risk, rather than an IT problem, organizations will continue to fall behind. Why? Because many of a company’s security solutions are things businesses should already be doing within each of the organization’s respective departments. IT can’t fix the processes in place for the finance department and neither should finance be fixing the processes in the IT department.
Cybersecurity is the responsibility of everyone in the organization, but the ownership of it typically falls in IT. I see it all the time, which is why I always ask, “Have you spoken with the other departments?” As an example, finance should generally be accountable and involved with any issue that could adversely affect financial viability. This includes issue resolution and acceptance of any residual risks that are not mitigated. HR should own issues concerning the employee life cycle, which includes appropriate training. New product development with security built-in—where’s your product managers? You see, this must be the norm if a company is going to manage their security in an effective way.
Visibility and Teamwork
The bottom line is, you can’t fix what you don’t see or understand. Unfortunately, many of today’s company leaders are in the dark about how and where their company data is at risk. But why? As business and technology become increasingly complex, security teams fail to equip leadership with the information that matters. They tend to overcomplicate the issues and fail at facilitating collaboration on a problem, especially if it’s non-technical in nature. All too often, when a problem arises, the knee-jerk reaction is to recommend more technology—without even considering the costs versus benefits. As a v-CISO, I’ve saved companies hundreds of thousands of dollars by recommending changes to the business practices and processes in place, rather than implementing a new technology solution. Simply adding new technology does nothing to change employee behavior. However, implementing processes that increase visibility around cybersecurity efforts and improve employee collaboration can have positive effects that outlast any new technology.
The cybersecurity industry will continue to grow and evolve at an undeniably rapid pace. If we are to have a fighting chance at turning the tide on our adversaries, we need to follow the advice of Steve Jobs and broaden our perspective. Only then can we begin to tackle the issues facing the industry today.
