What are the biggest challenges that a CISO faces today?
The role of Chief Information Security Officer or CISO has been around for 25 years, pioneered Steve Katz 1995, but only seems to have gained traction more broadly over the past 5 - 7 years.
The role has now firmly established itself as an integral part of the corporate hierarchy as enterprises have begun to take security concerns more seriously. Which is understandable as according to the IBM Security Cost of Data Breach Report; the Average cost of a data breach in 2020 was a staggering $3.86 Million.
Some of the key challenges faced by CISO’s and those responsible for a company’s security capability include, but are of course not limited to;
Hackers and Adversarial AI
Very likely near the top spot. Coming from multiple vectors, times and styles. The ol’ game of cat and mouse.
Human Error
There is a lot a CISO can do to mitigate risk and reduce the possibility of data breaches and system compromise. But that all gets thrown out of the window when an employee unknowingly falls for a phishing scam, clicks on ransomware, introduces Shadow IT etc
Tick box security
Probably the most challenging of all. When a company hires someone to focus on its security capability but isn’t really invested in it, but need to be seen to do something.
In reality in many cases this is down to the board, owners etc not understanding the importance and or impact of security.
Does the CISO join for the challenge and try to manage upwards, educate and make a difference? Or bang your head against the wall and leave like others have in the past.
Lack of Developed Security Professionals
When faced with threats from multiple vectors, a well-developed cybersecurity team poses the most reliable defence to hackers. But Identifying, sourcing, building and retaining that crack commando unit is no easy feat. There is a chronic skills shortage of the very best cyber talent in the industry. The top 25- 30% of talent in the industry have their head down and are well looked after. Combine that with the fact that the traditional methods that most internal talent teams and external recruiters use do not consistently attract this talent in a buoyant market, yet alone in the strange times we find our self in #2020, and it is no surprise that companies struggle and often fail to attract the very best talent .
Budget
Since the beginning of the IT services profession, budget allocation, constraints and reductions have always been a challenge. Allocating a budget into something where there is no obvious return can be a hard pill for a board to swallow. But in the case of security- no news is very much good news. Unless of course you have been breached and don’t know it.
Thoughts from an expert:
Robert Rodger, CISO at Butterfield Group.
Security is a team sport.
Often security teams fail as they try to own everything, the we can do it best mentality it creates animosity, is costly, does not scale and will fail. Security is a team game where everyone in an organisation needs to play their part. Enable teams to do their job securely, as a example; provide developers with the tools, knowledge and support to deliver security code and test it themselves. Do the same with the front-line business team, infrastructure folks. Do that and you have delivered one method of scaling security and making it culturally embedded not just a bolt on process.
Alex Radford, CISO at Global Processing Services Ltd
It sounds cheesy, but security really is everyone’s responsibility. It would be great if common sense was common but unfortunately it isn’t. One of the aims today, is to make security as simple as possible for the users to comply with, which means focusing on the core pieces of security such as good access control processes and simplifying the requirements on the users. Mistakes will still happen, and they are an opportunity to learn, but when they do happen having the correct controls to ensure impact is small is helpful for the business.
Good security is not just how many compliance standards have you passed, it needs to be pervasive and ongoing. Achieving standards is a demonstration that the right things are being done, but being secure is more than just the minimum to meet a standard.
Elliot Rose, Member of PA's Management Group
In the current challenging COVID19 conditions we are seeing an increase in attacks as organisations around the world have been forced to divert resources and adopt more porous operating modes. Organisations and employees are working out of habit and employee’s defences can be down, as they adjust to the new ways of working and are having to make significant personal adjustments to daily life in order to operate safely. Increasingly organisations are experiencing a greater number of attempts to ‘socially engineer’ an attack in order to elicit sensitive information. CISOs are under pressure to provide employees with secure collaboration tools and messaging facilities. Communication is also key and business leaders (not just the CISO) need to ensure that employees are fully aware of the increase security risks.
We are also seeing secure remote as a business enabler, driving greater take up of digitisation and reducing costly office overheads. Many organisations are already looking ahead and planning how they can make the most of their investment in secure remote working to grow their business further. That means CISOs need to properly understand the changes in the business that are planned, identifying where cyber security can underpin the changes in a way that is supportive to the business.
David King, RISO at OmnicomMediaGroup
“The Boy that cried Wolf”
We are (or perhaps ‘were’) often accused of being that boy… the one that cried wolf… and we all know how that ended! There is often a disconnect between what we, as security professional, say and what our customers, clients or users expect or hear. In the same way, we are often accused of scare mongering. The GDPR was an example of that “If you don’t do as we say you’ll end up with a massive fine”. We need to get better at telling impactful stories. Why we want the company to part with cash, why people need to do their training, why we need to install more agents on the machines and why we need to monitor the network. Telling the right kinds of stories helps people understand and appreciate what we are doing and why. It’s another way of building trust, and trust is key when you’re trying to develop a culture of security.
Latest Jobs
-
- Azure Identity Consultant
- Netherlands
- discussed on applications
-
Are you a cybersecurity expert passionate about identity and access management? We are seeking a talented IAM Technical Specialist to join our Sec Ops team. In this role, you will play a pivotal part in developing and maintaining our IAM infrastructure, ensuring the highest levels of security and compliance. What you'll do: Design, implement, and maintain IAM solutions for both on-premise and cloud environments. Collaborate with cross-functional teams to integrate IAM systems into various applications and processes. Conduct security assessments and risk analysis to identify and mitigate vulnerabilities. Stay up-to-date with the latest IAM technologies and industry best practices. What we're looking for: Experience: experience as a technical specialist with expertise in AD management. IGA concepts: Experience with Identity Governance and Administration (IGA) concepts such as RBAC, PAM, SIEM, SSO, segregation of duties (SoD), data classification, and recertification. Azure Identity Management: Minimum 2 years of demonstrable experience with Azure identity management, specifically within complex organizations. IT knowledge: Good general knowledge of IT environments such as Active Directory, Azure Cloud, Office 365, SharePoint Online, etc. Protocol knowledge: Familiar with SAML, OIDC, OAuth, and SCIM. Programming languages: Minimum 3 years of experience with development languages such as PowerShell; knowledge of Java or C# is a plus.
-
- Cloud Architect- German Speaker
- Hungary
- Upto €48000 per year + bonus + benefits
-
As a Senior Pre-Sales Solutions Architect, you will play a pivotal role in driving our sales success by translating complex technical solutions into compelling proposals that resonate with our clients. You will collaborate closely with our sales teams to understand customer needs, design tailored solutions, and negotiate successful deals. Responsibilities: Solution Design: Develop comprehensive technical solutions that align with customer business objectives and industry best practices. Proposal Development: Create compelling proposals, including requirements gathering questionnaires, presentation materials, and Statements of Work (SOWs). Customer Engagement: Build strong relationships with clients, understanding their technical, business, and commercial requirements. Collaboration: Work closely with sales teams, delivery teams, and third-party partners to ensure successful project execution. Pricing Strategy: Define and deliver pricing strategies that align with customer needs and company objectives. Requirements: Experience in technical pre-sales or sales support roles. Proven track record in designing and delivering successful customer solutions. Strong technical foundation in areas such as VMware, Azure, AWS, cloud computing, and data center technologies. Excellent understanding of sales principles, account management, and negotiation techniques. Ability to explain complex technical concepts clearly and concisely. Experience working in international teams and supporting clients across multiple regions. Fluency in German and English is essential. Benefits: Competitive salary and benefits package Opportunity to work on challenging and rewarding projects Collaborative and supportive work environment Potential for career growth and advancement Please note that this role is focused on supporting German clients, but will also involve global client support as needed.
-
- Microsoft Sentinel Architect
- United Kingdom
- discussed on applications
-
Microsoft Sentinel Architect We're seeking a talented and experienced Microsoft Sentinel Architect to be responsible for the design, deploy of a new Sentinel solution into an expanding Services business. As a key member of our team, you'll play a vital role in driving security operations and protecting clients' assets. Responsibilities: Solution Design: Develop comprehensive Microsoft Sentinel architectures aligned with our clients' specific needs and industry best practices. Deployment and Configuration: Oversee the deployment and configuration of Sentinel components, including data connectors, analytics rules, and playbooks. Integration: Integrate Sentinel with other security tools and platforms within our MSSP ecosystem. Tuning and Optimization: Continuously monitor and optimize Sentinel performance to ensure maximum effectiveness and efficiency. Training and Mentoring: Mentor junior team members and provide training on Sentinel technologies and best practices. Required Skills and Experience: Proven experience as a Microsoft Sentinel Architect with a deep understanding of its capabilities and limitations. Strong technical skills in Azure, security operations, and data analytics. Experience designing and implementing complex security solutions, into a services environment Knowledge of threat intelligence, incident response, and compliance frameworks. Excellent communication and problem-solving skills.
-
- Network & Security Consultant
- Romania
- €54000 plus benefits
-
Senior Network & Security Engineer to join a Managed Network & Security Team in Europe. In this critical role, you will: Play a pivotal role in managing and securing network infrastructure across datacenters, customer connections, and on-premise deployments. Proactively monitor network and security devices, analyse incidents, and implement solutions to ensure optimal performance and security. Collaborate with colleagues and customers to troubleshoot issues, troubleshoot outages, and implement effective resolutions. Lead and participate in network system installations for new facilities and expansions. Develop and maintain network infrastructure procedures, recommend technical strategies, and propose improvements to enhance network capabilities. Stay up-to-date on the latest network and security technologies and trends. Work as part of a collaborative international team, contributing to team presentations and knowledge sharing. To be successful, you'll need: Proven expertise in Cisco network solutions (CCNP R&S/Sec/Wireless preferred) for both BAU and project work. In-depth knowledge of network security principles and experience with Fortinet firewalls. Experience deploying and managing large, complex network infrastructure (routing, switching, wireless, security). Solid understanding of ITIL v3 framework for incident, change, and problem management. Excellent troubleshooting skills with experience using Wireshark or similar protocol analysers. Strong communication and teamwork skills, with the ability to work independently and collaborate effectively.