The job of the CISO is becoming increasingly complex, with new rules around security and compliance, disclosure requirements following incidents, and more.
As the profile of cybersecurity has increased within enterprises, so has the challenge of finding people to fill senior roles and then hanging on to them.
It can be a challenging proposition to navigate your first 30 days as CISO. You have the responsibility of securing an entire company on your shoulders, and you know that without robust security infrastructure and processes, the organization is exposed to external threats, service restrictions and degradation, and insider risk.
In security, we are very used to talking about features and functions in the tools we use. When it comes to measuring the positive impact of what we spend on cyber, in terms of both people and equipment costs, we tend to be equally abstract for years, mean time to detection and mean time to resolution have probably been the two most widely-used metrics for cybersecurity progress, and measuring the number of security incidents handled is still probably how the CISO tracks his team’s contribution to the organization.
I’ve led security functions and established cybersecurity board reporting processes for over 25 years. The relationship between CEOs and CISOs has always held contradictions and the decisions around when to disclose a breach have always been hard. But the recent developments involving the SEC and SolarWinds is a regulatory game-changer for the CISO community. Still, I think we’ll all ultimately come out OK from this if we behave ethically.