5 Ways CISOs Can Navigate Their New Business Role

Today's CISOs are under attack from numerous quarters, both within and outside their organizations. Certainly, there are plenty of bad actors using new and more sophisticated exploit methods to penetrate their networks. But internally, they're also under fire.

The requirements for the modern chief information security officer are myriad: to stay current with implementing new technologies and protective measures, sure, but also to improve staff skills and morale, and above all, to take a higher leadership profile and responsibility for reducing overall compliance risk and legal liability.

According to Forrester's recent security program recommendations report, "the eyes of the world are on CISOs — but not in a good way. There is now a long list of sacrificial CISOs who have either been fired or left due to disagreements with their firms."

Navigating what comes next isn't easy, but here are five takeaways from Forrester's analysis that might help identify some pathways to success.

Empathy Can Rebuild Trust After a Breach

One consequence of the continued assault on corporate networks is the erosion of trust, especially among customers and business partners, according to Forrester analyst Heidi Shey, writing in a recent report on brand implications from privacy lapses.

She recommends that CISOs conduct a critical examination of both cybersecurity and privacy risks across the entire operation, including partner and supplier ecosystems, because, as she wrote, "robust privacy oversight, practices, and accountability structures will be the foundation for creating new products and supporting ethical and responsible data use in your digital transformation."

However, CISOs also need to be empathetic and transparent with prompt post-breach notifications, understanding the concerns of suppliers, partners, and customers about the damage that breaches can inflict — no matter whose fault the incident ends up being. 

"There's a tendency for self-preservation after a breach, and it is logical to keep information to yourself, even afterward when the event is over," says Max Shier, CISO at Optiv. "However, cybersecurity professionals and especially CISOs need to ensure there is as much information sharing as possible to help others learn from the event."

Be Candid When You Make Mistakes

Part of this reconstruction of trust is that CISOs need to come clean, take ownership when there are problems, and be proactive about working with various stakeholders to fix them.

"Practice radical candor with your key constituencies and executives," is one Forrester suggestion. In other words, ask the difficult questions and work toward a consensus.

"Transparency, understanding, and keeping the lines of communication open can help the entire supply chain cope with an event if something is disrupted along the line," Shier says. "It's key to having a resilient supply chain, but it's also key to helping each other during and after an event, as there are ripple effects up and down the supply chain."

CISOs can’t afford to not pay attention to their data breach liability: A breakdown from the firm of the top 35 breaches across the world in 2023 found that organizations paid almost $2.6 billion in fines for exposing 1.5 billion records, with almost half of the breaches happening at public agencies and healthcare-related industries. Among this list were breaches at many of the world's largest telecommunications providers. Out of the top 35 breaches, all but one happened in the European Union and US.

Operational Transparency: More Than Just PR

Further, transparency should be a natural part of a CISO's playbook, not just something that is activated in post-breach situations. Part of the motivation is compliance, as Forrester analysts noted.

"Regulators are pushing for greater transparency," they wrote. "They’re making it easier by giving incentives to security leaders to act in the best interest of customers — and themselves — with the threat of legal action. Poor transparency leads to a breach of law, a breach of trust, and a continuation of transparency theater. In other words, do what you say you do with your data." 

In another report issued earlier this month, Forrester's analysts also gave this advice to security managers: "Don’t sign your name to third-party risk assessments, insurance underwriting documents, or regulatory compliance attestations that obfuscate or gloss over program or product flaws."  

In general, CISOs need to "own it, recognize where things went wrong, and proactively work to fix them, including as many stakeholders as possible to ensure you fix the root cause and identify any other issues that may have been missed," Shier says. "This is especially true now that CISOs are increasingly being held personally accountable for issues that may arise from corporate negligence or security issues that were persistent, known, and not mitigated."

Pay More Attention to Upskilling Your Staff

CISOs are also challenged to keep their staffs current on new technologies, new threats, and new prevention methods.

"Security is a moving target, things are changing so fast," says Lisa Rokusek, a recruiter with her own St. Louis–based agency, called rokusekrecruits.com. "Many companies have had a terrible track record in terms of developing and then retaining their internal talent. It is very short sighted."

The way forward is to invest in more and better upskilling programs, something Forrester analyst Jess Burn wrote about in his report on the subject. "The lack of employees with security skills was a key challenge at many organizations," he said. "Investing in technology over training only increases the skills gap as practitioners struggle to keep up with learning new tools versus building proficiency in key domains."

Embrace New Technologies, but Understand Context

When it comes to implementing new technology — generative AI, let's say — it's almost inevitable that CISOs will get caught up in a hype cycle at some point. But it's important to keep a clear head and think carefully about any data privacy risks versus security benefits when it comes to new platforms.

"The cybersecurity industry is just like any other and also falls prey to hype cycles," Shier says. "AI, zero trust, and security platforms immediately come to mind. The CISO’s job is to weigh the risks, benefits, weed through the marketing jargon, and ascertain a good balance of both risk and benefit, while still enabling the business. Not an easy task, especially when AI has truly changed the world, both good and bad, and the need for implementation is extremely high, or your business can quickly become irrelevant."

As Forrester analysts noted regarding ChatGPT-like features, "prioritize usefulness over flashiness, realize AI's constraints and understand its impacts," on an organization's infrastructure, data, and operations.

Another example is the move to passwordless. Forrester recommends that enterprises to move toward passwordless and other better authentication methods to prevent future attacks. However, this isn't something a CISO can just flip a switch on.

"At the 80,000-foot level this is all true, we have needed something better than passwords for a long time," says Phil Dunkelberger, the CEO of Nok Nok, a long-time authentication vendor. "Here is where the rub is: When our customers start to implement passwordless solutions, we have found the devil is in the details; every vertical has its own security needs, its own regulatory mandates, and of course platforms vary widely too."