Overcoming 10 CISO Pain Points In 2023
So far 2023 has proven to be, ‘new year, new challenges’, for CISOs. We’ve talked to CISOs while observing market and industry shifts and created this list of some bumps in the road to look for through the rest of the year – and how you can steer around these CISO challenges.
This story is part of Security Essentials, the IT Vault’s practical advice for getting the most out of your security team.
“2023 will be an interesting year for CISOs as we move from post pandemic years right into the next big thing, including ChatGPT and many similar tools that have entered into the enterprise ecosystem. CISOs will be challenged with enabling their organization to use the latest AI features and tools while making sure it is not weaponized into advanced security threats.” - Teza Mukkavilli, CISO at ChargePoint.
While your mileage (and industry) may vary, we’ve tried to focus on the 10 most common pain points facing CISO leadership in 2023. So let’s get started:
10. Cybercriminals don’t have budget constraints. But you do.
The balancing act never ends – a board-friendly budget and a rock-solid security program. And it seems that even with increased threats, budgets continue to stagnate – or worse, shrink. A whopping 44% of IT professionals stated their organization ‘will cut spending on (cyber)security in the next year’, per a recent survey.
From bad PR or panicked clients to leaked data or diving stock prices, even the smallest security failures can have a potentially devastating impact. And unfortunately, cybercriminals are increasingly driven by monetary gain or backed by nation-states that don’t care about your budget issues. So, it may be to your advantage to shift the way you’re seen by the board. How much will a cheap solution or budget cuts actually cost if there’s a breach? Is that even measurable? You’ve got to convince your decision-makers that security isn’t a cost center, it's a critical part of business continuity. And as such, shouldn’t get the short end of the budget. (We’ll get into how to position security in a moment.)
Even if that conversation goes well, we live in a world of economic uncertainty, so you’ve still got to be smart in how you spend. If you can’t invest in lots of bodies, focus on keeping key talent and consider AI or automated solutions that make the most of the resources you have without sacrificing productivity or security. Speaking of being smart in how you spend…
“2023 will be an interesting year for CISOs as we move from post pandemic years right into the next big thing, including ChatGPT and many similar tools that have entered into the enterprise ecosystem. CISOs will be challenged with enabling their organization to use the latest AI features and tools while making sure it is not weaponized into advanced security threats.” - Teza Mukkavilli, CISO at ChargePoint
9. Their layoffs could be your top hires.
Across the tech sector, we’ve seen unprecedented layoffs over the past 18 months, which means there’s a lot of top talent out there. And if your organization’s strategic goals include global growth (we’ll talk more about goals later), you should consider international hires, as well.
With these two approaches, you can build a talented security team. Now, bear in mind, be smart. If you low-ball this top talent, you’ll be dealing with many rejected offers. If some are accepted, you’ll face low morale, and possibly have to fill the role again when they leave.
8. Embracing automation. (It won’t be like the “Terminator” movies, we promise.)
Regardless of robotic resistance, in 2023 and beyond, automation is here to stay. But where is it in your organization? Think of how many routine tasks are taking up your team’s time. Vulnerability management. Incident response. Compliance checks. Training. Internal and external customer service.
Your situation or organization is unique, of course, but there’s definitely a benefit to automation. Besides long-term cost savings, you can streamline processes, ensure consistency, AND free up your resources for threat intelligence, risk assessment, and solving high-value problems. The latest advancements in both machine learning and automated reasoning can even help quickly identify new and unknown security risks. Domo arigato, indeed.
7. Consolidating tools and modernizing your IT infrastructure.
In 2023, consolidation is the word on every CISO’s lips. Whether it’s shrinking your team or your budget, your ongoing challenge is doing more with less. But that’s not always a bad thing. Multiple tools from multiple vendors in multiple applications also multiplies your risk exposure, and increases the likelihood of incompatibility issues. With a single vendor, and as many functions operating under a single tool, you can streamline entire processes while saving money and time.
A big part of consolidation is organic if you’re keeping a close eye on your overall IT infrastructure. 2023 will also be a big year for IT modernization, and this is a bandwagon you should definitely be on. Kind of like finally getting around to cleaning your garage or basement (we’ll do it next weekend, for sure!). Solutions that worked for you three years ago may not cut it now, or even play nice with the solution you invested in six months ago. And as bad actors get smarter and more sophisticated, you need to keep up.
While consolidating and modernizing, make sure security is “baked in” rather than “added on,” so you can rise to any security challenge and easily scale when needed. While we’re on the subject of giving security a little more respect…
6. Security isn’t “a” thing. It’s in everything.
Making sure security is “baked in” to your technical infrastructure moving forward is just the tip of the iceberg. We’ve already mentioned how important security is to the bottom line, so it should be as much a living, breathing part of your organization as say, product development or revenue generation. It’s THAT important, and people outside of your team should be aware. It’s all about creating a culture of security. Everyone doing their part, pitching in, solving problems, and understanding the significance of security on everything from their work-issued smartphone to your biggest data center.
So, how do you get there? First, don’t operate in a security silo. Share best practices and educate your organization. Get to know your organization and the challenges they face. Partner with departments like HR for training, or marketing to make security a unique selling point. This way you can collaboratively develop security solutions that solve problems as much as they protect (and differentiate) the organization. Also let staff know your expectations, as well as the risks when they don’t meet them.
But building a culture goes a little further – and may take time. When developing a solution, sharing a presentation, or onboarding a new vendor, you want everyone thinking about security first. That means putting the right tools in place, automating as much as possible, and training people from day one.
By prioritizing security across the board and taking steps to create a culture of security, you may be able to break through and answer “what’s in it for them,” whether it’s as lofty as helping the organization remain secure or as personal as keeping their jobs.
5. Minimizing risk.. with greater purpose.
Between budget cuts, staffing shortages, and the other challenges listed above, in 2023 one of your biggest CISO pain points continues to be one of your most basic: minimizing your organization’s risk exposure. Pretty straightforward considering it’s probably a bullet point in your job description.
However, you can take things to another level (and show even more value to your stakeholders) when you align your risk management with the organization’s overall business objectives. From geographical expansion to new product releases, look at key risks for your industry or company specifically to best align your risk management protocols and processes with what your organization is trying to accomplish. It provides a built-in answer for the inevitable “why” when you raise a risk red flag. And at the end of the day, you’re not simply doing your job, you’re supporting your entire organization’s goals.
4. Getting to Zero Trust.
Seeing “successfully implementing the Zero Trust framework” shouldn’t be a surprise on this list, as every CISO has it on their “to-do” list. That being said, where are you in lining up your security protocols with it? You’d think that authenticating, authorizing, and continuously validating users would be something everyone gets behind, but somehow it’s not that easy. Maybe it’s a challenge because many can’t get past the old “trust, but verify” security approach we’ve all used for years. But with the rapid, recent shift to the cloud, combined with a widely distributed work environment that defines “the new normal,” that old approach is all but obsolete. Zero Trust is quickly becoming a security standard and requirement among customers and end users, which means it can very easily become legislation.
That being said, 2023 is the time to find a partner to help you get to Zero Trust to ensure that you’re ahead of the data privacy and protection curve today, and compliant tomorrow. Working with an external, experienced vendor will help with training, rationales, and most of all, internal objections to this necessary shift.
3. Considering TCO when procuring software.
Anyone who’s ever bought anything from a razor to a home knows that it’s not just what you pay today (“Oh! A cheap razor set!” “It’s our forever home!”), but also what you pay over the product’s lifetime (“These blade cartridges are expensive!” “A new roof is going to cost HOW MUCH?”). It’s our old friend, Total Cost of Ownership (TCO), and it’s a huge consideration when you’re thinking about an enterprise-wide software solution that requires deployment, service, and ongoing maintenance.
As CISO, TCO is an important factor in making a wise choice. While one solution may cost less up front, you may find that the TCO is much higher. Conversely, a product that seems like a huge hit to this year’s budget may pay for itself over time, especially if it’s a proven product that offers better protection against threats. So, what we’re saying is, whether you pay now, or pay later, you ALWAYS pay. Just make sure you’re getting your money’s worth.
2. Expanding while reducing attack surfaces.
With so much either in or moving to the cloud, and a highly distributed workforce, your organization’s digital footprint may be bigger than ever. But then again, that also expands your list of vulnerabilities. You know, “a chain is only as strong as its weakest link,” and all of that. In 2023, CISOs should be prepared (or preparing) for these new attack surfaces, by vetting and consolidating vendors and tools as we mentioned above, as well as implementing stringent authentication and access controls. Expansion will always happen – you just need to ensure that your infrastructure is built to scale without increasing your risk exposure.
1. Getting organizational buy-in (on ALL OF THE ABOVE).
So, these are all things you can do. But when push comes to shove, what you must do is convince your stakeholders and decision-makers. Of all the CISO challenges, and pain points, this is the one all will face in 2023 no matter how many (or few) of the other challenges you try to tackle. Not only do you have to convince the people holding the purse strings, but also the rank-and-file who may be (and often are) resistant to change – so you’re punching both above and below your weight class to get things done.
Think of it as trying to coordinate a family vacation between you, your parents, and your teenage children. When all is said and done, you want everyone to have a good time, but you’re going to have to come at it differently to convince each of them.
So, what you need to do is work both angles intelligently. While those above you can be shown the value of your efforts to the entire organization (see #10 and #6), individual managers and their teams throughout the enterprise may take a little more finesse, especially those who see your mandates and best practices as “recommendations.” (Again, think about explaining house rules to teenagers). The bigger goal is to limit Shadow IT, missing devices from poor offboarding, etc.
By prioritizing security across the board and taking steps to create a culture of security, you may be able to break through and answer “what’s in it for them,” whether it’s as lofty as helping the organization remain secure or as personal as keeping their jobs. The point is this – without your organization behind you, even your best efforts could land with a thud.
So, that’s our top ten. These CISO pain points are just a starting point, but can go a long way to making your job – and your life – easier in 2023 and beyond. To learn more about what automation can do to support your team, your security goals, and your organization, talk to Lumos.
Designing a Program that Mitigates the Risks and Costs Associated with Shadow IT
Data breaches, security vulnerabilities, and compliance issues are just some of the problems associated with shadow IT, as well as the potential to violate regulatory requirements and risk being out of compliance.