Insights into the role, challenges and future of the UK CISO
A changing landscape
Today’s CISO is pulled in multiple directions, tasked with compliance, cyber security and risk management. Expected to wear both a technical and a business hat, the role is further complicated by the rapid changes in the cyber threat environment, increasing expectations of the board, budget constraints and ongoing challenges around sourcing the right talent.
As a vendor agnostic specialist cyber security and data privacy consultancy offering CISO as a service, we’ve been engaging with businesses since 2013 in a transparent and expert way. We are committed to delivering the best, most appropriate consultancy and solutions that empower our clients to protect their organisations and effectively mitigate risk.
We spoke to a focus group of CISOs drawn from different industries, including financial services, public sector, third sector, critical national infrastructure, technology and professional services. The focus of the discussion was on current challenges, the future of the role and the impact of technology.
This is what we discovered…
The evolution of cyber attacks and the increasing sophistication of attackers means that businesses, and as a result CISOs, face a number of different threats from an increasing number of avenues.
For CISOs in our focus group, this includes typical risks like data breaches and email attacks, internal elements such as getting board or organisation-wide buy-in, as well as larger issues such as responding to emerging threats quickly, staff retention and fewer resources. Dealing with the consequences of cyber attacks, such as fines, impact on customer trust and overall business operations, was also highlighted as a key challenge.
One of the stand-out responses from a CISO in the professional services sector focused on the impact that the cyber threat was having on smaller businesses. SMEs face the same threats and compliance requirements as enterprises but have just a fraction of the resources and budget.
Another respondent from the financial services industry said the risks were essentially the same today as they have always been:
“(It’s the) Same as the last few years; rapidly changing threat landscape combined with a poor awareness of the need to properly secure the assets.”
Tackling the cyber security challenge
Operating in an ever-changing environment is a challenge in itself. Looking at the most challenging elements of the CISO role, lack of time, managing vendors and keeping the board and wider organisation engaged were top contenders. In effect CISOs spend more time firefighting than addressing the larger business issues.
This challenge was summed up by a respondent in the financial services industry: “The lack of time to strategize combined with limited resources in the technology teams to deliver on the necessary pace of change and improvement.”
Board buy-in also remains a key issue, despite the fact cyber security tops the agenda for most businesses. We asked CISOs what impact the increase in media attention on cyber attacks and security has had on their role. The responses were mixed, with many seeing it as a double-edge sword, saying it both helps and hinders their cause.
While media attention makes it easier to secure funding and help focus the attention of executives, it also puts more pressure on CISOs to get things done and made the board more aware of the repercussions.
A public sector respondent noted it was both easier and harder because the consequences of a security event have become better understood to operations and wider audiences.
“Technology solutions that purport to solve security problems mean the demand for quick-fixes gain traction when slower, more embedded organisational solutions are more sustainable.”
Bridging the skills gap
While there’s an acknowledged widening skills gap in cyber security — according to the UK government, 54% of businesses and charities have a basic technical security skills gap — there are broader issues to consider.
Many CISOs see the real problem not in recruiting staff but recruiting and retaining the right staff. Many feel it’s one thing to have the individuals with the right qualifications and another to recruit passionate and dedicated staff who see the role as more than a job.
…InfoSec is as much a state of mind and too many want to be told what to do, ‘by rote’. But this often isn’t viable as the attacks, technology and counter-measures are constantly evolving and you need the people who can work within and contribute to that. – Financial services CISO
As a result, the skills gap is about more than just finding the right skills; it speaks to the broader picture of finding and keeping the right people, with the right attitudes and rewarding them accordingly.
Not just about skills…
- Retaining staff
- Cyber security should be a calling, not just a job
- Shortening the gap between skills and remuneration
What are the solutions?
- Upskilling existing employees
- Working with the right staff
- Training at schools level
- Hiring apprentices
- Reducing the overlap in security roles
The influence of technology
Technology plays a tremendous role in fighting cyber crime, which means it has a proportionate impact on the CISO.
We asked respondents which technology was having the biggest impact on their business. Responses were varied, with one CISO highlighting Office 365 because it’s created new vectors for phishing that are harder spot. In addition, one respondent said shadow technology continues to put their organisation at risk, while another flagged legacy tools as an issue.
Cloud was also called out, both as a positive and negative, from problems with Azure Active Directory to Windows Server 2003, to using the power of the technology for monitoring data and security.
Cloud — being able to leverage cloud security technology and being able to maintain visibility of data and associated security. — Technology CISO
The future CISO
While many CISOs don’t believe their roles will change over the next 18 months, there was a definite leaning towards the role becoming more business focused.
This reflects a wider industry shift with CISOs becoming less IT focused and playing more of an active part at board level.
This sentiment also supports the view that CISOs will need to engage with more stakeholders in the future, such as platform and tooling teams, and vendors to close gaps in security.
Becoming less security technical and more business focused to help senior stakeholders better understand the issues with security and pragmatic ways to resolve them. This means looking at softer skills training, influence, communications, etc.